Details
-
Bug
-
Resolution: Fixed
-
High
-
extension/ezflow 2.0-0, extension/ezflow 2.1.0, extension/ezflow 2.2
-
None
Description
When publishing a homepage, the initial contents for the ezflow dynamic blocks is created using the editor's permissions.
This leads to content limited by either node, subtree, sections or object states to be listed in this block, while it can not be seen by anonymous users.
Steps to reproduce
Install eZ Publish 4.4 + eZ Flow
Create an object state group with 2 states, and set only one of them as readable by anonymous
Assign the state anonymous can't read to one of the "news" folder items.
Add an ezflow Latest content block to the homepage, use News as the source folder, and article as the class.
The homepage will list the article with the unallowed state, but the full view will be denied.