Bug #20539
closedSearch reveals sensitive data
0%
Description
If you set up a site with an authenticated section, a user should not see search results if their account does not permit them to. However, indexed_search breaks this authentication when coupled with tt_news. To reproduce, try the following:
1) Create two groups: GroupA and GroupB
2) Create UserA in GroupA, UserB in GroupB, and GlobalUser in GroupA and GroupB
3) Create a few tt_news content items and assign them to either GroupA or GroupB
4) Create a tt_news list item on an authenticated page. This means that when UserA logs in, he should only see list items for GroupA. When UserB logs in, he should only see items for GroupB. When GlobalUser logs in, he should see all.
No matter your permission, once you log in, the search results are permissions independent. If you click on the full text, you are given an error if you do not have permission to view that item which is correct. The problem then is eliminating the entry from the search results.
(issue imported from #M11235)
Updated by Martin Holtz over 15 years ago
can you show us your indexed_search configuration?
Updated by Dmitry Dulepov about 14 years ago
The problem is with incorrect group settings for indexing, not with search results. You must provide exact group combinations to list items correctly. This is quite stupid thing in the indexed search but this is how it works.