Details
-
Bug
-
Resolution: Fixed
-
High
-
5.2, 2014.01, 5.3-dev
Description
PreviewController::previewContentAction() checks if the current user is authorized to access any versions of a content.
if ( !$this->securityContext->isGranted( new AuthorizationAttribute( 'content', 'versionview', array( 'valueObject' => $content ) ) ) )
But there is no policy for a module function "content/versionview" - so it's not possible to grant access to the Preview to any user that hasn't unlimited access to content module functions.
Comparing this to the legacy preview function, "content/versionread" should be used, so the line should be:
if ( !$this->securityContext->isGranted( new AuthorizationAttribute( 'content', 'versionread', array( 'valueObject' => $content ) ) ) )
Attachments
Issue Links
- relates to
-
EZP-21438 Improve relation permission handling to use view_embed
- Closed