Drupal
  • Managing Successful Drupal Based Projects
  • Process
    • Team Roles and Responsibilities
    • Ceremonies
    • User Stories Best Practices
    • Glossary
  • Development Resources
    • Coding Standards
    • Setup Local Development Enviornment
    • Content Modeling
    • Git, Commit Messages & Pull Request Guidelines
    • Useful Terminal Commands
    • Package management - Composer, BLT and CI
    • Behat
      • How Behat is used in Acquia Projects?
    • Maintaining your platform/patches
  • JIRA Ticket Templates
    • Ticket Template
    • Composer Updates
    • Redirect endpoints that should not be public
    • Bug Template
    • Sync local with latest upstream code and database sprint X
    • Drupal Enablement
  • ACE & ACSF
    • Deploying to Acquia Cloud
    • ACSF - First Pull Request
    • ACSF & Drupal and Your Platform
Powered by GitBook
On this page
  • User Story:
  • Acceptance Criteria:
  • Implementation Details
  • Testing Steps

Was this helpful?

  1. JIRA Ticket Templates

Redirect endpoints that should not be public

User Story:

As an anonymous user, I do not want to be able to access insecure Drupal related endpoints so I can not see sensitive information.

Acceptance Criteria:

(i) Scenario 1: Redirect endpoints Given that I have access past the firewall When I go to the below mentioned urls Then I will be redirected to /system/403

  • /rss.xml

  • /node

  • /taxonomy/term/%/feed

  • /taxonomy/term/%

  • /rest/session/token

  • /session/token

  • /machine_name/transliterate

  • /filter/tips/plain_text

  • /filter/tips

Implementation Details

For /rss.xml, /node, /taxonomy/term/%/feed, and /taxonomy/term/% () unpublish the front page view - update views.view.frontpage configuration () unpublish taxonomy Taxonomy term view - update configuration

For - /rest/session/token, /session/token, /machine_name/transliterate, /filter/tips/plain_text, /filter/tips () Create a custom module: CUSTOM_MOUDLE_security. () Find the route name or use paths. Either search code base or locally enable the web profiler module. Use the web profiler dev toolbar to find route name.

() Programmatically redirect the above mentioned urls to the 403 page. () Register the Event Subscriber by creating a CUSTOM_MODULE_security.services.yml file

services: CUSTOM_MODULE_security.subscriber: class: Drupal\CUSTOM_MODULE\EventSubscriber\CUSTOMMODULESecuritySubscriber tags: - { name: event_subscriber }

() Create redirects in CUSTOM_MODULE_security module by using the EventSubscriber () Check if the user role is anonymous if (\Drupal::currentUser()->isAnonymous())

() loop through each Route Name and set the new response $response = new RedirectResponse('/403', 301); $event->setResponse($response);

behat tests () Write a behat test to confirm all urls redirect to the 403 page.

Testing Steps

As an anonymous user, when visiting the below mentioned URLS then they will redirect to /system/403

  • /rss.xml

  • /node

  • /taxonomy/term/%/feed (% is placeholder to taxonomy id)

  • /taxonomy/term/%

  • /rest/session/token

  • /session/token

  • /machine_name/transliterate

  • /filter/tips/plain_text

  • /filter/tips

  • rest/session/token( only if REST module is enabled.)

PreviousComposer UpdatesNextBug Template

Last updated 6 years ago

Was this helpful?