Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21586

ContentTypeService::createContentType() does not check for any permissions

    Details

    • Sprint:
      Pollux Core S4

      Description

      This allows anyone with an access to API (eg. any non-anonymous user with REST configured to use session auth) to create ContentType draft.

      UnauthorizedException should be defined and implemented when user does not have access to create content type (class/create).

        Activity

        Hide
        Ricardo Correia (Inactive) added a comment -

        QA Approved.

        Show
        Ricardo Correia (Inactive) added a comment - QA Approved.
        Show
        Gunnstein Lye added a comment - Fixed in master: https://github.com/ezsystems/ezpublish-kernel/commit/7569cb81fa274c6509a6f2586f1d0c753630a44b
        Show
        Gunnstein Lye added a comment - PR: https://github.com/ezsystems/ezpublish-kernel/pull/1142

          People

          • Assignee:
            Unassigned
            Reporter:
            Petar Spanja (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 7 hours, 50 minutes
              7h 50m

                Agile