This was determined by the Security team to be suitable to post publicly
CommentDefaultFormatter does not check any access control and assumes the default permissions like 'access comments' are the only access logic in play.
You can reproduce this problem by:
- Enabling the module
- Write a custom access control handler for comment entities. Use hook_entity_type_info_alter to wire up this handler for comment entities.
- Create an entity with a comment field on it. Add some comments. On the comment thread, note that the permission 'access comments' is used instead of deferring to the custom comment access control handler.
Commentary from Berdir:
The problem is that we have no concept of a "can access list of entities" operation, that simply doesn't exist and would need to be handled specially, like create access, as there is no entity to operate on/with, so we can not simply introduce a new operation.
Given that there is no "proper" way to do it, not sure if this is a security issue.
There are a few other as well, for example checking for being able to create comments, that's something we could do better. But even that sounds like a normal or maybe a security hardening bug to me.
CommentDefaultFormatter itself is also just a plugin, so if you have a case like this where you want to customize comment access, you could use a different formatter...
Many other listing pages are equally hardcoded (although this is arguably more exposed than most default (config) entity listings. The only thing that comes close to the concept of overview-access is having an admin permission, see \Drupal\Core\Entity\Routing\DefaultHtmlRouteProvider::getCollectionRoute().
And last,
\Drupal\comment\CommentStorage::loadThread()implements comment_filter and entity_access (this is arguably a bit weird, since we always use ${entity_type}_access as tag. So you can for example add a condition there to deny access if the host is a certain entity or entity type.
original report:
I customized the view access logic for comments by setting my own access class. This worked for viewing a comment at comment/{comment} but not when viewing a list of comments in a comment field.
CommentDefaultFormatter does not check any access control and assumes the default permissions like 'access comments' are the only access logic in play.