Open maethu opened 1 year ago
@maethu In general, permission to view an object's metadata in listings is controlled by the "Access contents information" permission on its container, not the View permission.
Does the Anonymous role still have the Access contents information permission in your example above? If so, I think this is working as designed.
@maethu In general, permission to view an object's metadata in listings is controlled by the "Access contents information" permission on its container, not the View permission.
Does the Anonymous role still have the Access contents information permission in your example above? If so, I think this is working as designed.
Ohh ooops my bad... Should have known this. But I it still exposes information even without this permission. --> https://github.com/plone/plone.restapi/pull/1635#issuecomment-1533509773
Description The relationfield serializer should respect the
View
permission.Problem Some metadata like, Title and Description can be exposed thru the relationsfield serializer
Reproduce
Result: bot page 2 and page 3 are serialized in relatedItems
Expected result Only list accessible relatedItems and do not expose any metadata information