The fix for
EZP-25204 causes a regression, in that symfony user-hash response headers do not vary by cookie, which causes them to be cached.
The result is that after a user with rights visits an otherwise unaccessible content, logging out and visiting the same content with anonymous user will be possible
- Enable symfony http cache or varnish reverse-proxy
- define a new section and add a document to this section (e.g. /test).
- anonymous user have rights for read doc in section standard only
- define a user "b" with read rights to the new section
- login with user "b" and visit /test
- visit the page again with anonymous and it will be accessible