Details
-
Story
-
Resolution: Unresolved
-
High
-
None
-
16.02
-
None
Description
While 16.02 allows this as of EZP-25522 and with fixes to Release notes to tell Platform users how to configure roles to get it to work, some remaining issues remains:
Design issue
All backend editors needs access to user objects of other authors in order for author fields to not crash the editing.
Bug
Author field should have fallback to not break down (we should check this for all fields that load other content btw)
Security Improvement
Either we
- A. need to strip out passwordHash and passwordHashType from REST response on User data (BC break, but as it is security it can be acceptable)
- B. we need to have a slimmed down REST endpoint for loading user(s).
- C. We accelerate FieldGroups (EZP-24119) work (making it native and making it possible to limit access rights on it)
B. and C. might be considered most secure for customers that plan to put sensitive data on user object fields..
Default Editor rights
Platform currently has very crude role for editors, it just gives all "content" rights with no limitations. Given only tool we have to enforce good content architecture is content rights, this should be updated based on what is in Studio as soon as the design issue is solved.