Tracker module allows any user to access /user/%uid/track pages by default.

That might be a potentially problem if content associated to user being tracked isn't in control or has the properly permissions, so sensitive content could be accesed easily in Track tab from a profile page.

Search engines show this link by default and allows access. A common SEO problem on Drupal sites is that search engines will index URL parameters that should not be indexed as /tracker or /user/*/track pages.

I attach this patch to limit theses access only for administrators and users who match with the tracking page being accessed (users are able to view their own Track activity).

I don't now if this is a valid approach, by anyway, thanks for your feedback.

CommentFileSizeAuthor
#2 core-limit-tracker-access-2777445-1-D7.patch574 bytesmercalia
test_tracker.patch574 bytesmercalia

Comments

mercalia created an issue. See original summary.

mercalia’s picture

mercalia commented
StatusFileSize
new core-limit-tracker-access-2777445-1-D7.patch574 bytes
mercalia’s picture

mercalia commented
Title: Restrict access to track users by default in Tracker module » Restrict access to track user page by default in Tracker module
stefan.r’s picture

stefan.r commented
Version: 7.x-dev » 8.2.x-dev
Status: Patch (to be ported) » Active

This doesn't seem right -- why check against "administer nodes"? And what is the actual vulnerability here?

Reassigning to 8.2.x, as Drupal 8 still has the same access check.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

petiar’s picture

petiar commented

I wanted to work on this within the DrupalCon 2016 sprint, however, I got confused a bit after a short investigation. Isn't the name of the module now Activity Tracker? Also the path reads /user/{user}/activity (as per the tracker.routing.yml). I can't get the user/{user}/track path to work in Drupal 8.3.

Anyway, I still think there may be some problem. According the tracker.routing.yml the permission to access the Activity tab is _permission: 'access content'. Although this permission is allowed for an anonymous (it's the View published content permission), anonymous user still can't access it.

My suggestion would be to introduce a new permission for this path within the tracker module. I am happy to do that, however, I would like to get some opinion on that as I am new contributor and if any of my assumption is wrong, I'd be doing useless work.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

hazit’s picture

hazit commented

I agree that this would be useful :-)

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

jasonluttrell’s picture

jasonluttrell
Location Washington, DC area
commented

+1 for this feature in Drupal 8/9.

bessonweb’s picture

bessonweb commented

+1 also ! It seem logical to restrict the "user activity logs" to anonymous visitors.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Issue tags: -Tracker, -restrict access to track pages, -Drupal Core pages access

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Active » Postponed

This extension is deprecated and scheduled for removal in Drupal 11.

This is now Postponed. The status is set according to two policies. The Remove a core extension and move it to a contributed project and the Extensions approved for removal policies.

It will be moved to the contributed extension once the Drupal 11 branch is open.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Project: Drupal core » Activity Tracker
Version: 11.x-dev » 1.0.x-dev
Component: tracker.module » Code
Status: Postponed » Active

now in contrib

batigolix’s picture

batigolix
Primary language Dutch
Location Utrecht
commented

This is a duplicate of #2978468: Activity Tracker module does not allow to prevent anonymous users from seeing the users activity.

batigolix’s picture

batigolix
Primary language Dutch
Location Utrecht
commented
Status: Active » Closed (duplicate)

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.