Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21219

versionread policy not checked in ContentService::loadContent

    XMLWordPrintable

    Details

      Description

      Through the public API, an Anonymous user without versionview permissions can access draft content through ContentService::loadContent, by specifying the version number.

      Steps to reproduce:

      • As admin, create the first version of a content object, and publish it
      • Still as admin, create a new version of the content object, but store it as a draft, do not publish it
      • Through the Public API, as an Anonymous user, load the unpublished/draft content:
      $contentService->loadContent($contentId, null, $draftVersionNo);
      
      • The operation completes successfully, and the draft content is made available. Note that if the version number is not specified, the published content will be returned, as opposed to the draft content.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                Filipe.Dobreira@ez.no Filipe Dobreira (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Time Spent - 4 days, 5 hours, 10 minutes Remaining Estimate - 1 day, 2 hours, 55 minutes
                  1d 2h 55m
                  Logged:
                  Time Spent - 4 days, 5 hours, 10 minutes Remaining Estimate - 1 day, 2 hours, 55 minutes
                  4d 5h 10m