[Typo3] Indexed search finding access restricted pages

Lars Houmark lars at houmark.com
Wed Feb 2 00:44:03 CET 2005


Have nobody seen this issue? I find it rather unsmart and also somewhat 
unsafe, if a news item is meant to be internal and the title is so, that 
normal visitors can find that subject just by searching the website?

Could be embarrassing for a company that a internal news title is shown in 
full public.

If someone should be running frontend usergroups and news, it is very easy 
to test if this is an issue in your installation as well. While not being 
logged in, just search for a title that you know is access restricted by a 
certain usergroup.

Regards,


Lars Houmark


"Lars Houmark" <lars at houmark.com> wrote in message 
news:mailman.1.1106910217.25212.typo3-english at lists.netfielders.de...
> Hey,
>
> I am taking this issue here, as it seems it is not caused by tt_news 
> (after posting in that newsgroup).
>
> I have a project where we are using  frontend users/groups, tt_news and 
> indexed search.
>
> A certain news is restricted to a usergroup, which is all fine. It is not
> being displayed normally.
>
> When searching for content (with indexed search) which is a part of one 
> access restricted news item, the news is
> listed in the search results. The subheader is replaced with the 
> no-matching content  message, but the headline is displayed!! Clicking the 
> item rightfully makes the news displayer throw the error; "no news id 
> given", which is securing the whole news not being shown. But the item 
> shouldn't be in the list of results, the headline itself could be 
> critical, as it could be stating something normal visitors should not find 
> when searching.
>
> Anyone have a clue?
>
> P.S. I tried loads of solutions, cleaning the indexed pages, searching 
> docs for missing settings and so on, nothing solves it.
> Could someone test it in their own installation to determine if this 
> should be considered a bug either in the news system or the indexed search 
> engine.
>
> Regards,
>
>
> Lars Houmark
> 





More information about the TYPO3-english mailing list