For any route which is found in the user entity link template list, if the path takes a user object, any of these routes should return a not found instead of access denied. If during normal routing access checking results in an access denied result.

Scenarios including to but not limited to:

  • _entity_access results in not allowed
  • An access denied exception is thrown, especially within the controller.
CommentFileSizeAuthor
#3 3097461-improve-tests.patch2.9 KBdpi

Comments

dpi created an issue. See original summary.

dpi’s picture

Assigned: Unassigned » dpi

Now largely fixed by #2133887: Enumeration still possible through user pages , re-purposing to improve coverage.

dpi’s picture

Status: Active » Needs review
StatusFileSize
new2.9 KB

  • nicksanta committed e450566 on 8.x-1.x authored by dpi
    Issue #3097461 by dpi: Show 404 if 403 on user link template routes
    
nicksanta’s picture

Status: Needs review » Fixed

You legend, thanks @dpi!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.