|
In-Portal Issue Tracker - Advanced
|
|
Viewing Issue Advanced Details |
|
|
ID:
|
Category:
|
Type:
|
Reproducibility:
|
Date Submitted:
|
Last Update:
|
|
1312 |
[In-Portal CMS] Front End |
bug report |
always |
2012-06-11 06:51 |
2012-07-25 05:29 |
|
|
Reporter:
|
alex |
Platform:
|
|
|
|
Assigned To:
|
alex |
OS:
|
|
|
|
Priority:
|
normal |
OS Version:
|
|
|
|
Status:
|
closed |
Product Version:
|
5.1.3 |
|
|
Product Build:
|
|
Resolution:
|
fixed |
|
| |
|
ETA:
|
none |
Fixed in Version:
|
1.2.0-RC1 |
|
|
Reference:
|
https://groups.google.com/d/topic/in-portal-bugs/GB2NLFHiH6k/discussion |
|
Change Log Message:
|
Fixes issue, when user still able to access pages, that became protected (via category permissions) |
|
Estimate Points:
|
1 |
|
|
Summary:
|
0001312: CATEGORY.VIEW permission is not checked in templates |
|
Description:
|
We don't check CATEGORY.VIEW permission on category listing pages and item .VIEW (e.g. LINK.VIEW, PRODUCT.VIEW) permissions on corresponding item detail pages.
This results in ability to open category/item detail page even if you don't have corresponding view permission, but only have direct link to that page.
Of course links to in accessible pages are not built anywhere, but page might have been public before (e.g. at time Google indexed it) but is inaccessible now.
Also I think that we should throw "403 Forbidden" HTTP code on "No Permission" page, where user is redirected after accessing a page which he can't access. |
|
Steps To Reproduce:
|
|
|
Additional Information:
|
|
| Relationships | |
|
Attached Files:
|
 view_permission_check_inside_categories.patch (3,894) 2012-06-11 10:31
http://tracker.in-portal.org/file_download.php?file_id=1702&type=bug |
|
|
Issue History |
|
Date Modified |
Username |
Field |
Change |
|
2012-07-25 05:29 |
alex |
Note Added: 0004867 |
|
|
2012-07-25 05:29 |
alex |
Status |
resolved => closed |
|
2012-06-11 10:33 |
alex |
Note Added: 0004716 |
|
|
2012-06-11 10:33 |
alex |
Status |
reviewed and tested => resolved |
|
2012-06-11 10:33 |
alex |
Fixed in Version |
=> 1.2.0-RC1 |
|
2012-06-11 10:33 |
alex |
Resolution |
open => fixed |
|
2012-06-11 10:33 |
alex |
Assigned To |
!COMMUNITY => alex |
|
2012-06-11 10:33 |
alex |
Changeset attached |
1.2.x r15388 |
|
2012-06-11 10:32 |
alex |
Note Added: 0004715 |
|
|
2012-06-11 10:32 |
alex |
Status |
needs testing => reviewed and tested |
|
2012-06-11 10:32 |
alex |
Assigned To |
=> !COMMUNITY |
|
2012-06-11 10:32 |
alex |
Developer |
=> alex |
|
2012-06-11 10:32 |
alex |
Status |
active => needs testing |
|
2012-06-11 10:31 |
alex |
File Added: view_permission_check_inside_categories.patch |
|
|
2012-06-11 06:52 |
alex |
Project |
In-Portal CMS => Advanced |
|
2012-06-11 06:51 |
alex |
New Issue |
|
|
2012-06-11 06:51 |
alex |
Reference |
=> https://groups.google.com/d/topic/in-portal-bugs/GB2NLFHiH6k/discussion |
|
2012-06-11 06:51 |
alex |
Change Log Message |
=> Fixes issue, when user still able to access pages, that became protected (via category permissions) |
|
2012-06-11 06:51 |
alex |
Estimate Points |
=> 1 |