[TYPO3-core] RFC: Fixing bug #4207 (and #4468) - User>Workspaces shows users pages they have no acces to
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Fri Feb 16 09:36:40 CET 2007
Martin Kutschker schrieb:
> Martin Kutschker schrieb:
>
>> Hi!
>>
>> This is a patch request.
>>
>> Branches: trunk and TYPO3_40
>>
>> Problem:
>>
>> User>Workspaces shows all changes in a WS without checking if the user
>> has access (show) to them.
>>
>> Solution:
>>
>> Check the access permissions.
>>
>> Notes:
>>
>> The permissions and the root line (used for display) are cached for
>> speeding up listings with many changes.
>>
>> Testing:
>>
>> Create a user which has not access to the whole tree. Make changes in
>> DRAFT within his branch and other parts. As this user go to DRAFT and
>> see the list of changes User>Workspaces with and without the patch.
>
>
> As this bug discloses some information to users I think this should be
> fixed in 4.1. Exposing page titels and other record labels is a minor
> security risk (trustig your users?) and confusing (where does this page
> come from)?
REMINDER
Masi
More information about the TYPO3-team-core
mailing list