I've noticed that with all the 'view terms' permissions set so that anonymous users can see taxonomy terms in each vocabulary, that also enables them to view the vocabulary list page at: /admin/structure/taxonomy/manage/{vocab}/overview which I think shouldn't be tied to the view permission.

CommentFileSizeAuthor
#2 incorrect_list_perms-2993452-0.patch918 bytesbblake

Comments

bblake created an issue. See original summary.

bblake’s picture

bblake commented
StatusFileSize
new incorrect_list_perms-2993452-0.patch918 bytes

Adding patch to remove 'view terms' as a criteria for accessing the term lists.

recrit’s picture

recrit commented

I agree, this needs to be locked down.

@pifagor,
The access fix name of "list terms" is a bit confusing since it means "admin/structure/taxonomy/%vocabulary" and not "taxonomy/term/%taxonomy_term" as one might think.
A future cleanup could be to rename this "fix" as "admin list terms" or "vocab terms list".

tarasich’s picture

tarasich
Primary language Ukrainian
Location Kyiv
commented
Status: Active » Reviewed & tested by the community

I agree with motivation.
The patch works fine for me, so allow me to RTBC it)

voleger’s picture

voleger
he/his
Primary language Ukrainian
Location Ukraine, Rivne
commented

makes sense
+1 for RTBC

alex_optim’s picture

alex_optim
Location Tallinn
commented

+1

pifagor’s picture

pifagor
Location 🇺🇦 Rivne
commented

  • pifagor committed 7b82d95 on 8.x-2.x authored by bblake 
    Issue #2993452 by bblake, recrit, tarasich, voleger, pifagor, alex_optim...
pifagor’s picture

pifagor
Location 🇺🇦 Rivne
commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.