Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21625

ContentService::loadRelations( VersionInfo $versionInfo ) does not check if given VersionInfo is about currently published version

    XMLWordPrintable

Details

    Description

      ContentService::loadRelations( VersionInfo $versionInfo ) does not check if given VersionInfo is about currently published version.

      As a result content/versionread is always checked, which will for example fail for anonymous user even in the case when given $versionInfo is about currently published version of Content that the anonymous user can access.

      Use case:

      with anonymous user make a following request over REST:

      GET /api/ezp/v2/content/objects/59 HTTP/1.1
      Accept: application/vnd.ez.api.ContentInfo+xml
      

      This will work as relations are not loaded for ContentInfo structure.
      However, this will fail:

      GET /api/ezp/v2/content/objects/59 HTTP/1.1
      Accept: application/vnd.ez.api.Content+xml
      

      with Unauthorized exception with message: User does not have access to 'versionread' 'content'

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              petar.spanja-obsolete@ez.no Petar Spanja (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 30 minutes
                  2h 30m