Open Veronica-davidraj opened 1 year ago
@Veronica-davidraj Thanks for reaching out. For future reference, if you come across an issue you think as security implications, please email security@silverstripe.org first. You can find more information about Reporting security issues is our official doc.
In this specific case, we agree this is a bug. We don't think it's worth treating it as a security issue however.
You would need to have CanView
permissions on Page B to view its content even after publishing it. Presuming you have CanView
permission on Page B without CanEdit
, you would still be able to view the draft content. You could just take that draft content and copy-paste it on a page you can publish.
The problem here is that "Related pages" is a $owns
relation. That doesn't make much sense.
My guess is this something we could ship in a minor release, but probably not in a patch release. Would we be comfortable sneaking this one into 4.13 post beta? If not, it will have to stay like this in CMS 4, and will only be shipped in CMS5.
Steps to reproduce:
-Create page A and page B -Link both pages via related pages tab
When testing the scenario above we found a security issue with the related pages tab.
Page B(Draft) gets attached to Page A(Published) via the related pages tab then Page B automatically gets published when Page A is published again.