Skip to content
Snippets Groups Projects
Commit b1b329ce authored by DEEPAK MISHRA's avatar DEEPAK MISHRA Committed by Jakob P
Browse files

Issue #3435303 by deepakkm: Automated Drupal 11 compatibility fixes for...

Issue #3435303 by deepakkm: Automated Drupal 11 compatibility fixes for username_enumeration_prevention
parent cfbe9886
No related branches found
No related tags found
1 merge request!11Resolve #3435303 "Automated drupal 11"
Pipeline #275064 canceled
......@@ -16,13 +16,6 @@ include:
################
# variables:
# SKIP_ESLINT: '1'
#
# Start custom overrides.
# Based on https://git.drupalcode.org/project/keycdn/-/blob/8.x-1.x/.gitlab-ci.yml
#
# Start custom overrides.
variables:
SKIP_CSPELL: 1
OPT_IN_TEST_PREVIOUS_MAJOR: 1
......
......@@ -24,7 +24,7 @@ Username enumeration is a technique used by malicious actors to identify valid u
Enabling this module is one step to preventing the usernames on the system from being found out but there are other known methods that are just as easy.
* If a user belongs to a role that has "access user profiles" granted to it, then that user can serially visit all integers at the URL http://drupal.org/user/UID and get the username from the loaded profile pages.
* "submitted by" information on nodes or comments, views, exposed filters or by other contributed modules can also expose usernames. Site builders looking to hide usernames from comments and nodes should look at using realname or some other tool.
* "submitted by" information on nodes or comments, views, exposed filters or by other contributed modules can also expose usernames. Site builders looking to hide usernames from comments and nodes should look at using real name or some other tool.
* Browser autocompletion on the user login page can be disabled using the [Security Kit](https://www.drupal.org/project/seckit) module.
* The Drupal security team [does not consider username enumeration a vulnerability](https://www.drupal.org/drupal-security-team/security-team-procedures/disclosure-of-usernames-and-user-ids-is-not-considered).
......
......@@ -112,7 +112,7 @@ class UserRouteEventSubscriber implements EventSubscriberInterface {
/**
* {@inheritdoc}
*/
public static function getSubscribedEvents() {
public static function getSubscribedEvents(): array {
$events[KernelEvents::EXCEPTION] = 'onException';
return $events;
}
......
......@@ -72,7 +72,7 @@ class UserRouteTest extends BrowserTestBase {
foreach ($scenarios as $key => $scenario) {
$scenario = $scenario + array_fill_keys(range(1, 2), []);
// Test Drupal user routes return 403 out of the box. We use these to test
// if core changed the behaviour of these routes, and now 404.
// if core changed the behavior of these routes, and now 404.
$data['without uep ' . $key] = $scenario + [3 => 403];
$scenario[2][] = 'username_enumeration_prevention';
$data['with uep ' . $key] = $scenario + [3 => 404];
......
---
name: Username Enumeration Prevention
type: module
description: |-
Removes the error message produced by the forgot password form, when an
invalid user has been supplied.
core: 8.x
core_version_requirement: ^8 || ^9 || ^10
core_version_requirement: ^9.5 || ^10 || ^11
dependencies:
- drupal:user
......@@ -8,6 +8,8 @@
*/
use Drupal\Core\Url;
use Drupal\user\Entity\Role;
use Drupal\user\RoleInterface;
/**
* Implements hook_requirements().
......@@ -15,7 +17,13 @@ use Drupal\Core\Url;
function username_enumeration_prevention_requirements($phase) {
$requirements = [];
if ($phase === 'runtime') {
$username_enumeration_prevention_roles = user_roles(FALSE, 'access user profiles');
// user_roles is deprecated in drupal:10.2.0 and is removed from
// drupal:11.0.0 and have to use \Drupal\user\Entity\Role::loadMultiple()
$roles = Role::loadMultiple();
// user_roles(FALSE, 'access user profiles'); is replaced with suggestion
// mentioned in https://www.drupal.org/node/3349759
$username_enumeration_prevention_roles = array_filter($roles, fn(RoleInterface $role) => $role->hasPermission('access user profiles'));
if (isset($username_enumeration_prevention_roles['anonymous'])) {
$value = t('WARNING! Anonymous users have permission to access user profiles.');
$severity = REQUIREMENT_WARNING;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment