Problem/Motivation
Some contributed modules' entity types apparently ship with less-than-ideal (read: not quite secure by default) entity access control logic/ permissions.
This is bad because:
- it results in information disclosure vulnerabilities too easily
- it may even result in access bypass
- both of the above are possible with just "the HTML UI" for an entity type, but become extra bad when the site also has an API module installed: core's
rest.module, or contrib'srelaxed.module,jsonapi.moduleorgraphql.module
Proposed resolution
Consider adding something like https://www.drupal.org/project/entity_access_audit to Drupal core. A corresponding status report entry also seems prudent.
See https://www.previousnext.com.au/blog/introducing-entity-access-audit-module as an especially good explanation and possible implementation.
Remaining tasks
TBD
User interface changes
TBD
API changes
TBD
Data model changes
TBD
Release notes snippet
TBD