Skip to content

Missing permission check for Brevo plugin configuration page #8055

New issue
New issue
Open
Open
Missing permission check for Brevo plugin configuration page#8055
Assignees
skoshelev
Labels
refactoring / source code
Milestone
Version 5.00
@atiq-bs23

Description

@atiq-bs23
atiq-bs23
opened on Dec 24, 2025

The Brevo plugin configuration endpoint does not verify whether the current user has the MANAGE_PLUGINS permission.
As a result, users without this permission can still access the configuration page directly via URL.

This behavior may lead to unauthorized access to plugin configuration settings.

Steps to Reproduce:

  1. Create a new role.
  2. Assign Admin area access to the role.
  3. Ensure the role does NOT have the MANAGE_PLUGINS permission.
  4. Log in with a user assigned to this role.
  5. Manually navigate to: https://{YOUR_DOMAIN}/Admin/Brevo/Configure

Actual Result
The Brevo configuration page is displayed successfully.

Expected Result
Access should be denied.

Suggested Fix
Add a permission check for MANAGE_PLUGINS in the Brevo plugin configuration controller/action.

Image

Metadata

Metadata

Assignees

Labels

refactoring / source code

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions