Actions
Bug #18797
closed"New page" wizard might disclose existence of pages outside DB mount
Status:
Closed
Priority:
Should have
Assignee:
Category:
Backend User Interface
Target version:
-
Start date:
2008-05-15
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
When creating a new page inside the top level of a DB mount which is only a sub tree, the pages up and down from the DB mount root will be displayed in the position selector if the logged in user has read permissions for these pages. This is unwanted information disclosure as the permissions should not matter for pages which are outside the DB mount.
Example:
Tree looks like
x -
- a
- b
- d
- e
- f
- c
User A has b as his DB mount but reading permissions on all pages in the tree. He now create a new page inside b. The position selector should only show him b and its subpages. Instead he will be shown a and c, too.
(issue imported from #M8428)
Files
Actions