#4439 closed Defect (fixed)
/view/:guid route can expose plugin information to logged-out users
| Reported by: | ewinslow | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Elgg 1.8.4 |
| Component: | Core | Version: | 1.8 |
| Severity: | minor | Keywords: | |
| Cc: | brett@… | Difficulty: | easy |
Description (last modified by ewinslow)
Just stumbled across this while testing a new routing system. I assume we don't want random people to be able to inspect what plugins are installed on a given site.
This is because plugins have access_id public by default. I don't see a way to get around that since plugins need to work for logged out users too, obviously.
Hmm...
Change History (16)
comment:1 Changed 14 months ago by brettp
comment:2 Changed 14 months ago by ewinslow
I'm not sure what your point is. I'm sitting here logged out looking at /view/2 and seeing the plugin.
comment:3 follow-up: ↓ 4 Changed 14 months ago by ewinslow
Oh, I see. You're suggesting to put that in the view? Sorry!
comment:4 in reply to: ↑ 3 Changed 14 months ago by brettp
Replying to ewinslow:
Oh, I see. You're suggesting to put that in the view? Sorry!
Right. It's mixing controller logic in the view with the forward, but since the /view/ route is built in, it's the cleanest choice. I suppose we could also just return true if we want to be super strict...
Could also add a registration function like we have with elgg_register_ajax_view(). I don't know how useful the /view/ route is, to be honest.
comment:5 Changed 14 months ago by ewinslow
- Difficulty set to easy
- Milestone changed from Needs Review to Elgg 1.8.4
I'd prefer not to add another registration function.
Controller logic in the view is a little gross. I vote we return true.
comment:6 Changed 13 months ago by brettp
return true doesn't work because it defaults to the default object view. You can still see the plugin entity.
This leaves a registration function, a forward() in the view, or something more intrusive. I'm leaning toward the registration function because no one uses the default page handler anyway. Something like elgg_register_default_page_handler($type, $subtype).
comment:7 Changed 13 months ago by ewinslow
If no one uses it and it's causing security issues we should just remove it. No use cluttering the API.
comment:8 Changed 13 months ago by brettp
If this is for 1.8 we can't change the API in either case, so it's up to changing the view.
I said it's not used, but I think that's because it's not advertised, not because it's useless. If we make a registration function for it, it will parallel elgg_register_page_handler() to provide a default page handler for /view/:guid for simple plugins that don't want to handle their own pages. This could eventually be extended to a system-wide default page handler with stuff like /list/:type/:subtype, /add, /edit, /owner, etc.
comment:9 Changed 13 months ago by ewinslow
Meh. I'd rather spend the time improving our core routing system so that developers can make pretty urls without tearing their hair out.
My idea is here in case you missed it: https://github.com/ewinslow/elgg-evan
I've already created a couple plugins on this system and it makes a world of difference.
comment:10 Changed 13 months ago by brettp
Many other similar projects ship with default page handlers for a good reason: not having to write page handlers for simple URLs (which most are) is a huge win. Look at all the boilerplate code in the bundled plugins' page handlers.
comment:11 Changed 13 months ago by ewinslow
- Description modified (diff)
Here's a little code sample.
// routes.php
return array(
'/blog/owner/:container_guid' => 'blog/list',
);
// pages/blog/list.php
set_input('type', 'object');
set_input('subtype', 'blog');
// Call out to a different page handler
page_handler('entity/list');
This doesn't seem like excessive boilerplate, and you get things like potential for reverse routing, code reuse, relevant urls, etc.
Is this compelling at all?
comment:12 Changed 13 months ago by brettp
Yes, it's compelling, but I'm not saying our routing doesn't need improvement. I'm saying there is definite benefit in having a default routing system. elgg_register_default_page_handler('object', 'blog') is even lighter than what you have there. If we pull in your routing system to core, I'm sure the default routing will use it.
comment:13 Changed 13 months ago by Brett Profitt
- Resolution set to fixed
- Status changed from new to closed
Fixes #4439. Redirecting if trying to view a plugin object outside of admin.
Changeset: 2c324332f33fca688d782b55a51d38a793a18430
comment:14 Changed 13 months ago by ewinslow
2 things:
- OK. Let's submit this default page handler registration issue as a separate ticket if you haven't already. I'm open to it.
- This ticket exposes a more general problem with our setup, I think. We need everyone to have access to plugin entities so that the engine can initialize, but we don't want these entities to be inspectable by third parties. This may be a case where we need to use elgg_set_ignore_access when we want access to the plugins and otherwise set the access controls to private. If we don't figure out a lower-level solution, I can pretty much guarantee we're going to have a problem like this again in the future.
comment:15 Changed 13 months ago by brettp
Already have to do something similar for the site object view, so I agree we need to discuss this more.
comment:16 Changed 12 months ago by Brett Profitt
Fixes #4439. Redirecting if trying to view a plugin object outside of admin.
Changeset: 2c324332f33fca688d782b55a51d38a793a18430
In the plugin view: if (!elgg_in_context('admin')) { forward('/', 403); }