search

silverstripe / cwp

Common Web Platform (CWP) features module. We strongly recommend using it for all new CWP projects. Future features will be delivered here.
https://www.cwp.govt.nz
BSD 3-Clause "New" or "Revised" License
10 stars 27 forks source link

Related pages linking feature has a bug with publishing pages (SS4) #324

Open Veronica-davidraj opened 1 year ago

Veronica-davidraj commented 1 year ago

Steps to reproduce:

-Create page A and page B -Link both pages via related pages tab

When testing the scenario above we found a security issue with the related pages tab.

Page B(Draft) gets attached to Page A(Published) via the related pages tab then Page B automatically gets published when Page A is published again.

maxime-rainville commented 1 year ago

@Veronica-davidraj Thanks for reaching out. For future reference, if you come across an issue you think as security implications, please email security@silverstripe.org first. You can find more information about Reporting security issues is our official doc.

In this specific case, we agree this is a bug. We don't think it's worth treating it as a security issue however.

You would need to have CanView permissions on Page B to view its content even after publishing it. Presuming you have CanView permission on Page B without CanEdit, you would still be able to view the draft content. You could just take that draft content and copy-paste it on a page you can publish.

maxime-rainville commented 1 year ago

The problem here is that "Related pages" is a $owns relation. That doesn't make much sense.

My guess is this something we could ship in a minor release, but probably not in a patch release. Would we be comfortable sneaking this one into 4.13 post beta? If not, it will have to stay like this in CMS 4, and will only be shipped in CMS5.