Article title with no permission listed in CustomerFAQExplorer

[io-architect]

Hello all,

When using CustomerGroupSupport, customer user can see FAQ articles title without permission.

How to reproduce the issue:

1. Enable "CustomerGroupSupport"

2. Create customer company "COMPANY01" and "COMPANY02"

3. Create customer user "cust01" -> "COMPANY01", "cust02" -> "COMPANY02"

4. Create group "tech01" and "tech02"

5. Assign COMPANY01 -> tech02, COMPANY02 -> tech02

6. Create FAQ category TECH01(group tech01), TECH02(group tech02)

7. Create FAQ article "FOR TECH01" in category TECH01 and "FOR TECH02" in category TECH02, with external

8. Login customer.pl by cust01

9. Visit "FAQ" page on customer interface, can look subcategories only "TECH01" ( is OK), but Latest Updated Articles, there are 2 FAQ article listed "FOR TECH 01" and "FOR TECH 02" ( "FOR TECH 02" is NG)

10. Select FAQ artcile "FOR TECH 02", There are error "Insufficient Rights" (Message: No Permission!) (OK)

11. Search article with keyword "TECH", there are article listed "FOR TECH 01" and "FOR TECH 02" ( "FOR TECH 02" is NG)

Tracing the code: When Jumping dashboard to CustomerFAQExplorer, there are no CategoryID and the module calls Kernel::System::FAQ::FAQSearch() without CategoryIDs parameter. Kernel::System::FAQSearch returns article list without permission check, module listed all articles without check.

Regards, Tomohisa Hirami

[bschmalhofer]

Hi @io-architect,

thanks for the detailed description and the pull request. The fix will included in the next release 10.0.6 of the FAQ package. I have already merged it in Github. I also made a small refactoring, so that CustomerCategorySearch() is called in only one code path, that covers both cases.

Best regards, Bernhard