Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-9350

Policies with section limitations seem not to be updated when removing section

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 3.10.0rc1
    • 3.8.4
    • Misc
    • None

    • Operating System:
      PHP Version: (please be specific, like '4.4.3' or '5.1.5')
      Database and version:

    Description

      In the ez.no/doc dataset I found this behaviour:

      • one of the policies of anonymous user group

      content read Section( Standard , eZ publish , Extensions , FAQ )

      • the generated SQL permission string is:

      AND ezcontentobject.section_id in (1, 5, 6, 7, 8)

      In the first place there are four sections only, in the permission string there are five. This is probably because of section 8 which does not exist any more if I go to /section/list

      This is not consistent at all. Either section 8 should be displayed somehow in /section/list or it should not be used in the permission string.

      Of course this is no problem if no objects of section 8 exist. (I guess it is not checked if there are objects in a section left when deleting the section.) But you could construct very specific situations where this could be a security hole - but I guess this is not really probable...

      The best solution would be to update all affected policies when deleting a section. (Probably all Versions are affected not only 3.8.4)

      Thomas

      Attachments

        Activity

          People

            rl rl
            to_nu to_nu
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: