Closed (fixed)
Project:
Feeds
Version:
8.x-3.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
17 Dec 2016 at 19:50 UTC
Updated:
4 Jan 2017 at 08:24 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
grimreaperHere is the patch.
After checking how works admin/content, I have only modified the view config.
Does this need a hook_update?
Comment #3
daboo commentedThis is controllable via permissions under Feeds -> Access the Feed overview page". I merely changed it to Administrator to keep others from accessing.
Comment #4
grimreaperHello @daboo,
The problem is that this permission is not used by the view provided by default.
And as the view responds on the same URL a default route in feeds.routing.yml has, even if the route requires this permission, anonymous users can access the listing.
Comment #5
daboo commentedThanks for the update @Grimreaper. I wasn't aware of that.
Comment #7
megachrizGreat catch! Seems pretty critical too. I can confirm that the patch fixes the issue if I re-import the configuration file.
I think there is no need for a hook_update now, as there is no official release of Feeds 8.x-3.x yet, only a dev release.
Comment #8
grimreaperOK.
Thanks for the commit.