Affects Version/s: 5.0.0-dev
Operating System: RHEL 62
PHP Version: 5.3.3
Database and version: MySQL 5.1.61
Browser (and version): Firefox 13
The following issue was detected in ezp5, through the Legacy controller.
If you create an object of, for example, the File class, and upload a file, that file will be publicly accessible through its path inside the var folder (var/ezflow_site/storage/...), regardless of user permissions and the section where said file exists. Using the public path to the content (by, for example, retrieving the link from the object's preview), will always yield access to the content, regardless of the content's section.
Steps to reproduce:
1. Create a "File" object and upload a file
2. Create a new section and assign it to the object
3. Get the file's regular path from the object's preview, verify that it is accessible.
4. Logout and try to access the same URL, the file will still be accessible
5. Find the real path to the file in the filesystem, and type it into your address bar, for example, <site.com>/var/storage... . This file will be accessible.