Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
4.1.4, 4.2.0, 4.3.0, 4.4.0beta1
-
None
Description
eZ Publish allows you to limit roles (hence also policies) to only be active in subtrees of the content tree. However this limitation does not work for the "Section/Assign" policy.
Instead a user with a "Section/Assign" policy can assign sections to any node regardless of subtree limitations. See steps to reproduce for an example.
Steps to reproduce
As admin Create two new roles:
1. A role called "basic role" with unlimited "Content/Read" and unlimited "User/Login"
policies.
2. Another role called "section role" with unlimited "Section/Assign" and unlimited
"Section/View".
3. Create a user group and a test user in it. Call the user "tester".
4. Assign "basic role" to "tester".
5. Click "Setup" -> "Roles and policies". Click on the "section role" role. Choose
"subtree" from the dropdown and click the "Assign with limitation" button.
6. Choose a content node and then the "tester" user when asked.
7. Log out as admin, login as "tester".
8. Click "Setup" -> "Sections".
9. From here you can assign any section to any node, when in fact you should only
be able to assign a section to the node you chose in (6).
Attachments
Issue Links
- relates to
-
EZP-23341 Incorrect role/policy subtree limitation handling in section/assign
- Closed