[TADV-27] CATEGORY.VIEW permission is not checked in templates - In-Portal Issue Tracker

XML

Word

Printable

Details

Type: Bug Report
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.2.0-RC1
Component/s: General
Labels:
None

External issue URL:
http://tracker.in-portal.org/view.php?id=1312
Change Log Message:
Fixes issue, when user still able to access pages, that became protected (via category permissions)
Story Points:
1
External issue ID:
1312
Copy Issue Key:
Patch Instructions:
Patches must be submitted through Phabricator.
- To submit patch via Command Line use Patches Workflow (via Arcanist) tutorial
- To submit patch via Web Interface use Patches Workflow (via Web Interface) tutorial

Description

We don't check CATEGORY.VIEW permission on category listing pages and item .VIEW (e.g. LINK.VIEW, PRODUCT.VIEW) permissions on corresponding item detail pages.

This results in ability to open category/item detail page even if you don't have corresponding view permission, but only have direct link to that page.

Of course links to in accessible pages are not built anywhere, but page might have been public before (e.g. at time Google indexed it) but is inaccessible now.

Also I think that we should throw "403 Forbidden" HTTP code on "No Permission" page, where user is redirected after accessing a page which he can't access.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

view_permission_check_inside_categories.patch
4 kB
11/Jun/12 10:31 AM

Issue Links

mentioned in: Wiki Page Loading...

Activity

People

Assignee:

Alex

Reporter:

Alex

Developer:

Alex

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

11/Jun/12 6:51 AM

Updated:

27/Mar/16 10:50 AM

Resolved:

25/Jul/12 5:29 AM