Problem/Motivation
Settings default settings for personal contact forms to disabled, setting specific user personal contact form to enabled and visiting contact form of mentioned user with another user who has permission to visit contact forms should result in access allowed and instead it returns access denied.
Beta phase evaluation
Issue priority | Normal, security related but too permissive instead of too open. |
---|
To replicate
* Enable contact module.
* Set default settings for personal contact forms to disabled (unchecked).
* Create a new user.
* User sets personal contact forms to enabled.
* Create a user with permission to access user contact forms.
* Try to visit contact form of first user with second user.
Proposed resolution
Provided patch and test.
User interface changes
None
Comment | File | Size | Author |
---|---|---|---|
#21 | contact-form-2393577-21-interdiff.txt | 1.72 KB | Berdir |
#21 | contact-form-2393577-21.patch | 2.05 KB | Berdir |
Comments
Comment #1
vladan.me CreditAttribution: vladan.me commentedProviding patch and test.
Comment #2
vladan.me CreditAttribution: vladan.me commentedTest only to confirm the issue.
Comment #5
vladan.me CreditAttribution: vladan.me commentedEh, wrong version of Drupal, rerolled. First test now.
Comment #6
vladan.me CreditAttribution: vladan.me commentedAnd full patch.
Comment #7
vladan.me CreditAttribution: vladan.me commentedComment #8
larowlanI don't understand how these are functionally different
Comment #9
vladan.me CreditAttribution: vladan.me commentedEnough to make it fail :)
Ok, here's full debug information:
Code snippet is this one:
1) when user's settings are disabled then $account_data gets value 0
2) when user's settings are enabled then $account_data gets value 1
1) it immediately gets into
as it's set and it's empty
2) it skips first condition but enters second one
when it notices that default settings are disabled by default but never actually confirms that user has set to 1
so, when it enters this second, it again returns Access Neutral which in the end converts to access denied
So, this patch will make it enter into
isset($account_data)
but will not fallback to wrong (default settings) check.Hopefully, tests will prove the point.
Comment #12
BerdirThere's a mismatch there with webUser vs web_user, did you create the patch against an older version of core? make sure to use the latest 8.0.x branch.
Comment #13
larowlanah didn't see the elseif - thanks
Comment #14
BerdirWondering if we can improve the comments a bit to explain this better. Would it help to move the comment there inside the first if?
Comment #15
vladan.me CreditAttribution: vladan.me commentedWith the help of @Berdir putting a new round of patches with improved comments and reduced logic. Now against dev version.
Comment #16
vladan.me CreditAttribution: vladan.me commentedAnd full patch.
Comment #17
vladan.me CreditAttribution: vladan.me commentedComment #19
Wim LeersThanks!
80 col rule, but could be fixed on commit.
Comment #20
alexpottDocs should be gender-neutral - see (for example) #1284436: Make comment text gender-neutral in system_clean_url_settings(). I'd say
// Forbid access if the requested user has disabled their contact form.
Let's fix #19 before commit - since we also need to fix the above.
Comment #21
BerdirUpdated the comments.
Comment #22
alexpottThis issue is a normal bug fix, and doesn't include any disruptive changes, so it is allowed per https://www.drupal.org/core/beta-changes. Committed 3967195 and pushed to 8.0.x. Thanks!