"New page" wizard might disclose existence of pages outside DB mount
When creating a new page inside the top level of a DB mount which is only a sub tree, the pages up and down from the DB mount root will be displayed in the position selector if the logged in user has read permissions for these pages. This is unwanted information disclosure as the permissions should not matter for pages which are outside the DB mount.
Tree looks like
User A has b as his DB mount but reading permissions on all pages in the tree. He now create a new page inside b. The position selector should only show him b and its subpages. Instead he will be shown a and c, too.
(issue imported from #M8428)
Updated by Riccardo De Contardi about 9 years ago
- File Cattura.PNG Cattura.PNG added
- File Cattura2.PNG Cattura2.PNG added
- File Cattura3.PNG Cattura3.PNG added
See attached files to see what happens in TYPO3 6.1.0:
is a branch of my pagetree; the editor's usergroup has B1 as DB mount.
if I click > page actions > new --> the wizard shown is what the user sees.
If I click on the arrow that allows me to add a page as sibling of B1 (see red circle on attached file) then there is an error:
The error reports the name of the parent of B1.