Details
-
Bug
-
Resolution: Duplicate
-
High
-
None
-
5.0
-
None
Description
I tried to request an object over the REST API v2 as anonymous user with content/read permission.
Request:
GET: /api/ezp/v2/content/objects/57
ACCEPT: application/vnd.ez.api.Content+json
Response:
{
"ErrorMessage": {
"_media-type": "application/vnd.ez.api.ErrorMessage+json",
"errorCode": 401,
"errorMessage": "Unauthorized",
"errorDescription": "User does not have access to 'versionread' 'content'",
...
Usually, you don't want to give the anonymous user full versionread permission so i tried it with a versionread permission limited to status/published.
With this permission in place, i got the following response:
{
"ErrorMessage": {
"_media-type": "application/vnd.ez.api.ErrorMessage+json",
"errorCode": 404,
"errorMessage": "Not Found",
"errorDescription": "Could not find 'Limitation' with identifier 'Status'",
...
After removing the limitation, it worked as expected, but the user had also access to the version list of the object (/content/objects/57/versions).
However, i think that a user with the content/read permission should have access to the current published version of an object. Actually, it seems to be impossible to provide the published content of an object to a user, without giving the user the permission to view all object versions.
Attachments
Issue Links
- duplicates
-
EZP-21625 ContentService::loadRelations( VersionInfo $versionInfo ) does not check if given VersionInfo is about currently published version
-
- Closed
-