Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21625

ContentService::loadRelations( VersionInfo $versionInfo ) does not check if given VersionInfo is about currently published version

    XMLWordPrintable

Details

    Description

      ContentService::loadRelations( VersionInfo $versionInfo ) does not check if given VersionInfo is about currently published version.

      As a result content/versionread is always checked, which will for example fail for anonymous user even in the case when given $versionInfo is about currently published version of Content that the anonymous user can access.

      Use case:

      with anonymous user make a following request over REST:

      GET /api/ezp/v2/content/objects/59 HTTP/1.1
Accept: application/vnd.ez.api.ContentInfo+xml

      This will work as relations are not loaded for ContentInfo structure.
      However, this will fail:

      GET /api/ezp/v2/content/objects/59 HTTP/1.1
Accept: application/vnd.ez.api.Content+xml

      with Unauthorized exception with message: User does not have access to 'versionread' 'content'

      Attachments

        Activity

          People

            Unassigned Unassigned
            petar.spanja-obsolete@ez.no Petar Spanja (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 30 minutes
                2h 30m