Ensure non-admin users cannot see whole page tree from root, and only the mount points he is assigned to.
I came out with a strange bug.
Using an extension that creates BE users, I made an incorrect configuration, and some non-admin users had the value of the "db_mountpoints" field set to 0 instead of NULL.
The users were in groups that had correctly configured mount points (22, 24). By merging these two pieces of information, users had a mount point list of "0,22,24"
When rendering the page tree in the BE, we could see the two mount points of the group (22 and 24) but also the whole tree from the root (0) exposing the whole site structure to non-authorized users. By clicking on pages that the user should not see, an error "#1289917924: You don't have access to this page" is thrown, hopefully...
Non-admin user should not see all pages from the root. We must therefore be ensured that this case does not occur.
#13 Updated by Jigal van Hemert 11 months ago
- Status changed from Under Review to Rejected
As commented in Gerrit:
We will not fix this in the core. The interface does not allow this combination and the system reject a request for unauthorized user as described in the issue. The core is not responsible to handle and fix broken records, which ware created by third party code.
Therefore the issue is marked as rejected.
If you feel that this is incorrect this issue can be re-opened or a new issue can be filed (please link to this issue in that case).