Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Download services_views-7.x-1.2.tar.gztar.gz
15.96 KB
MD5: afff378b8dd258452c9c2bc06a63ffc7
SHA-1: 30143b78e9600e9993f231d52ce5eec858c595e0
SHA-256: d28b48830e5bbf9f0d366f7b9db87c0ec91a4d8c895a39000dd4f3fd3839798d
Download services_views-7.x-1.2.zipzip
19.32 KB
MD5: 4446e81ce779bc492d3165881f3eb79d
SHA-1: a527ad3b742f92c7023e4107f391797fd4c250f9
SHA-256: 9946025c0ba15957e7c2ebf8fe7aee776cdbe2a8b21e1805e5116e4906cb1dbc
Release notes
SA-CONTRIB-2017-062: Arbitrary Views exposed over API
This release provides a mechanism that allows you to secure view displays that are arbitrarily available via the Views resource. You will now be able to whitelist/blacklist specific view displays from being displayed.
This release also includes changes that makes people aware of potential view displays that could be leaking information. There are warnings in several locations including next to the Views Resource on each api endpoint and the status report. There is another full report showing all view displays without access control set up.
The Problem
The reason this security issue is a problem is because by default, panel pane displays, block displays, and several other type of displays, are not accessible via a "route" by default and would not be accessible to the public unless someone put them on a page that was accessible to the public.
The Solution
The suggested work around for now will be to use the new Views Resource Settings page located at http://YOURSITE/admin/structure/services/list/ENDPOINT_NAME/view_resource. Whitelist or Blacklist the displays you wish to be available to the endpoint. You will need to do this for each endpoint. For a good idea of where to start removing displays available to the endpoint, look at the report at http://YOURSITE/admin/reports/insecure-view-displays. These settings are saved as simple drupal variables, so you can use Strongarm to export them if you need.
Important Next Steps
This is a single step in a bigger initiative to remove the 'views' endpoint all together and make people aware of the security implications of reusing view displays that typically do not have a non-administrative endpoint to them such as panel panes and blocks. By September 4th, 2017, the views resource will be removed unless there is significant cause to not do so. All white listed view displays will be copied and transformed into a "Services" type view display. the url pointing to the views resource will be backward compatible to these new displays only as long as the views resource is enabled. The goal is to move away from this all inclusive insecure resource to help developers keep information from being leaked to unintended users of the api.
The progress will be followed in #2900460: Make the Views Resource enforce better security practices..
Security update
