[TYPO3-core] RFC: Fixing bug #4207 (and #4468) - User>Workspaces shows users pages they have no acces to
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Wed Feb 14 17:04:12 CET 2007
Martin Kutschker schrieb:
> Hi!
>
> This is a patch request.
>
> Branches: trunk and TYPO3_40
>
> Problem:
>
> User>Workspaces shows all changes in a WS without checking if the user
> has access (show) to them.
>
> Solution:
>
> Check the access permissions.
>
> Notes:
>
> The permissions and the root line (used for display) are cached for
> speeding up listings with many changes.
>
> Testing:
>
> Create a user which has not access to the whole tree. Make changes in
> DRAFT within his branch and other parts. As this user go to DRAFT and
> see the list of changes User>Workspaces with and without the patch.
As this bug discloses some information to users I think this should be
fixed in 4.1. Exposing page titels and other record labels is a minor
security risk (trustig your users?) and confusing (where does this page
come from)?
Masi
PS: I'll promise to stop requesting more patches for 4.1 ;-)
More information about the TYPO3-team-core
mailing list