Details
-
Bug
-
Resolution: Fixed
-
High
-
5.0, 5.1, 5.2-alpha1
Description
ContentService::loadRelations( VersionInfo $versionInfo ) does not check if given VersionInfo is about currently published version.
As a result content/versionread is always checked, which will for example fail for anonymous user even in the case when given $versionInfo is about currently published version of Content that the anonymous user can access.
Use case:
with anonymous user make a following request over REST:
GET /api/ezp/v2/content/objects/59 HTTP/1.1 Accept: application/vnd.ez.api.ContentInfo+xml
This will work as relations are not loaded for ContentInfo structure.
However, this will fail:
GET /api/ezp/v2/content/objects/59 HTTP/1.1 Accept: application/vnd.ez.api.Content+xml
with Unauthorized exception with message: User does not have access to 'versionread' 'content'
Attachments
Issue Links
- is duplicated by
-
EZP-20290 REST: Requesting the content of a published object require versionread permission
- Closed