Bug #42606

Content Security with nested objects

Added by Julian Kleinhans over 8 years ago. Updated over 8 years ago.

Status:
New
Priority:
Must have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2012-11-01
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
No
Complexity:

Description

I think there is a strange bug in the content security

Initial situation:

3 Models
- Product
-- Category
--- Tutorial

The Product Model includes the categories and the categories the tutorials
With FLUID i can do something like that (3 nested for-loops)

<f:for each="{products}" as="product">
  <f:for each="{product.categories}" as="category">
    <f:for each="{category.tutorials}" as="tutorial">
      {tutorial.title} (Disabled: {tutorial.disabled})
    </f:for>
  </f:for>
</f:for>                                           

The Tutorial Model has a disabled class var which includes a boolean.
My Policy.yaml has the following content
resources:
  entities:
    Kj187_Tutorials_Domain_Model_Tutorial:
      Kj187_Tutorials_Domain_Model_Tutorial_Disabled: 'this.disabled == TRUE'

The problem is, it doesnt work with 3 (or more) nested loops. I get all tutorials, all with 'disabled equals 1' and all with 'disabled equals 0'.
If i get only the categories via repository and do something like that

<f:for each="{categories}" as="category">
  <f:for each="{category.tutorials}" as="tutorial">
    {tutorial.title} (Disabled: {tutorial.disabled})
  </f:for>
</f:for>  

it works!

Another problem is that i can call a tutorial with 'disabled = 1' directly (http://local.domain/PRODUCT/CATEGORY/TUTORIAL.html) without any problems ?!

#1

Updated by Julian Kleinhans over 8 years ago

Wrong issue infos!

It doesnt work also with only 1 nested loop!

Also available in: Atom PDF