Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
A possible scenario is that a user could lose permissions to access a view but still have the tempstore object set, and could use the AJAX endpoint to add entities to process and then execute VBO.
That would be a very limited hacking possibility, since actions also have access checks and there would be no option to modify anything else except the list of entities but still.
Also maybe set a maximum lifetime of the tempstore object?
Comments
Comment #3
Graber CreditAttribution: Graber as a volunteer commented