Details
Description
In the ez.no/doc dataset I found this behaviour:
- one of the policies of anonymous user group
content read Section( Standard , eZ publish , Extensions , FAQ )
- the generated SQL permission string is:
AND ezcontentobject.section_id in (1, 5, 6, 7, 8)
In the first place there are four sections only, in the permission string there are five. This is probably because of section 8 which does not exist any more if I go to /section/list
This is not consistent at all. Either section 8 should be displayed somehow in /section/list or it should not be used in the permission string.
Of course this is no problem if no objects of section 8 exist. (I guess it is not checked if there are objects in a section left when deleting the section.) But you could construct very specific situations where this could be a security hole - but I guess this is not really probable...
The best solution would be to update all affected policies when deleting a section. (Probably all Versions are affected not only 3.8.4)
Thomas
Attachments
Issue Links
- relates to
-
EZP-11763 ezsubtreeremove.php - fatal error
- Closed