Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21219

versionread policy not checked in ContentService::loadContent

    Details

      Description

      Through the public API, an Anonymous user without versionview permissions can access draft content through ContentService::loadContent, by specifying the version number.

      Steps to reproduce:

      • As admin, create the first version of a content object, and publish it
      • Still as admin, create a new version of the content object, but store it as a draft, do not publish it
      • Through the Public API, as an Anonymous user, load the unpublished/draft content:

      $contentService->loadContent($contentId, null, $draftVersionNo);
      

      • The operation completes successfully, and the draft content is made available. Note that if the version number is not specified, the published content will be returned, as opposed to the draft content.

        Issue Links

          Activity

          Show
          Damien Pobel (Inactive) added a comment - PR: https://github.com/ezsystems/ezpublish-kernel/pull/450
          Show
          Damien Pobel (Inactive) added a comment - Fixed in ezpublish-kernel: master: http://github.com/ezsystems/ezpublish-kernel/commit/fdf9994a80ab140510e8d201ad4524fc225e279e
          Hide
          Joao Pingo (Inactive) added a comment -

          Tested on master and 5.1 with tc-1737
          Tests passed ... QA Done

          Show
          Joao Pingo (Inactive) added a comment - Tested on master and 5.1 with tc-1737 Tests passed ... QA Done
          Hide
          Filipe Dobreira (Inactive) added a comment - - edited

          Issue is fixed when the versionNo is specified (3rd argument to loadContent), but still present when no version number is specified:

          // as an anonymous user, load a content draft through its id:
          $content = $contentService->loadContent($contentId);
          

          Additional checks should be made to assert if the user has permissions to view draft objects, even if the versionNo is left out (in which case versionNo will default to the last published version, AFAIK, which may be a draft).

          Show
          Filipe Dobreira (Inactive) added a comment - - edited Issue is fixed when the versionNo is specified (3rd argument to loadContent ), but still present when no version number is specified: // as an anonymous user, load a content draft through its id: $content = $contentService->loadContent($contentId); Additional checks should be made to assert if the user has permissions to view draft objects, even if the versionNo is left out (in which case versionNo will default to the last published version, AFAIK, which may be a draft).
          Hide
          André Rømcke added a comment - - edited

          Additional PR: https://github.com/ezsystems/ezpublish-kernel/pull/479 please review so we don't have to take this round trip one more time.

          Show
          André Rømcke added a comment - - edited Additional PR: https://github.com/ezsystems/ezpublish-kernel/pull/479 please review so we don't have to take this round trip one more time.
          Show
          André Rømcke added a comment - Merged in https://github.com/ezsystems/ezpublish-kernel/commit/36644a8845764a3306412b735eabda111894bc9c
          Hide
          Marcos Loureiro (Inactive) added a comment -

          QA Approved

          Show
          Marcos Loureiro (Inactive) added a comment - QA Approved
          Show
          Petar Spanja (Inactive) added a comment - Fixed in ezpublish-kernel/master: https://github.com/ezsystems/ezpublish-kernel/commit/41f916d599642b2d2d6136fe60770bf4306c302b

            People

            • Assignee:
              Unassigned
              Reporter:
              Filipe Dobreira (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Time Spent - 4 days, 5 hours, 10 minutes Remaining Estimate - 1 day, 2 hours, 55 minutes
                1d 2h 55m
                Logged:
                Time Spent - 4 days, 5 hours, 10 minutes Remaining Estimate - 1 day, 2 hours, 55 minutes
                4d 5h 10m