Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relying on the request in the constructor of RegisterForm prevents proper access checking outside of the expected route context #14

Closed
FeyP opened this issue Nov 16, 2023 · 3 comments · Fixed by #19
Closed

Relying on the request in the constructor of RegisterForm prevents proper access checking outside of the expected route context #14

FeyP opened this issue Nov 16, 2023 · 3 comments · Fixed by #19
Labels
bug Something isn't working
Milestone
1.1.x

Comments

@FeyP
Copy link
Contributor

FeyP commented Nov 16, 2023
edited
Loading

Problem/Motivation

In the constructor of Drupal\civiremote_event\Form\RegisterForm the form tries to get the route parameters from the current request. This prevents proper access checking outside the context of the route, if the access checks require an initialization of the RegisterForm, which is currently the case due to the custom access callbacks on the form object. Throwing 404 or other exceptions on error there may also result in the 404 or other error leaking back to the request that tried to initialize the form object, e.g. you might see a 404 error just for rendering a link to the registration route on an overview page, if the link is access checked as part of the rendering process.

Steps to reproduce

Try something like this somewhere outside of the expected route request context:

$url = \Drupal\Core\Url::fromRoute('civiremote_event.register_form', [
  'event' => $crm_id,
  'profile' => NULL,
]);
$url->access();

Proposed resolution

As a quick fix I moved the access checks of RegisterForm and RegistrationUpdateForm to RegisterFormController and used the parameters passed in instead of the properties.

A better fix would be to refactor the form code so that relying on the request in the constructor is no longer needed.

See also #9 , which is related.
@jensschuppe
Copy link
Collaborator

Thanks for raising this issue.

As a quick fix I moved the access checks of RegisterForm and RegistrationUpdateForm to RegisterFormController and used the parameters passed in instead of the properties.

Would you be able to provide that fix/workaround as a PR?

A better fix would be to refactor the form code so that relying on the request in the constructor is no longer needed.

Agreed, do you plan working on that?

@jensschuppe jensschuppe added the bug Something isn't working label Nov 17, 2023
@jensschuppe jensschuppe added this to the 1.1.x milestone Nov 17, 2023
@FeyP
Copy link
Contributor Author

FeyP commented Nov 17, 2023

Would you be able to provide that fix/workaround as a PR?

Yes, although I didn't do much testing yet. I'll prepare a PR, but maybe let it sit for at least a few days in case something comes up.

Agreed, do you plan working on that?

I could certainly do that, but I'd need to check with my project management. I'm not sure we have budget left for this, so for now I'd say we don't plan on doing that, unfortunately. I'll let you know, if that will change.

@FeyP FeyP mentioned this issue Nov 21, 2023
Closed
@jensschuppe jensschuppe mentioned this issue Jan 16, 2024
Merged
@jensschuppe
Copy link
Collaborator

#19 is another approach and should cover errors during out-of-context access checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
1.1.x
2 participants
@FeyP @jensschuppe