user_entityforms not secured with permissions or access restriction
>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #2990833. --> >>> <p>The user_entityforms view that ships with the module does not use access restrictions of any kind to secure the data.</p> <p>There is a filter on the view that maps the logged in user to the data, and this seems adequate to hide results from public view... but it probably isn't.</p> <p>The view relies on security through obscurity which at the very least means it will trip any security audit checking for unsecured views (which is how this issue came to light for me).</p>
issue