Details
-
Bug
-
Resolution: Fixed
-
High
-
5.1, 5.2-dev
-
N/A
Description
Through the public API, an Anonymous user without versionview permissions can access draft content through ContentService::loadContent, by specifying the version number.
Steps to reproduce:
- As admin, create the first version of a content object, and publish it
- Still as admin, create a new version of the content object, but store it as a draft, do not publish it
- Through the Public API, as an Anonymous user, load the unpublished/draft content:
$contentService->loadContent($contentId, null, $draftVersionNo);
- The operation completes successfully, and the draft content is made available. Note that if the version number is not specified, the published content will be returned, as opposed to the draft content.