-
Type: Bug Report
-
Status: Closed
-
Priority: Minor
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 1.2.0-RC1
-
Component/s: General
-
Labels:None
-
External issue URL:
-
Change Log Message:Fixes issue, when user still able to access pages, that became protected (via category permissions)
-
Story Points:1
-
External issue ID:1312
-
Copy Issue Key:
-
Patch Instructions:
We don't check CATEGORY.VIEW permission on category listing pages and item .VIEW (e.g. LINK.VIEW, PRODUCT.VIEW) permissions on corresponding item detail pages.
This results in ability to open category/item detail page even if you don't have corresponding view permission, but only have direct link to that page.
Of course links to in accessible pages are not built anywhere, but page might have been public before (e.g. at time Google indexed it) but is inaccessible now.
Also I think that we should throw "403 Forbidden" HTTP code on "No Permission" page, where user is redirected after accessing a page which he can't access.
- mentioned in
-
Wiki Page Loading...