-
Improvement
-
Resolution: Fixed
-
Neutral
-
6.2.16
-
None
-
-
Empty show more show less
-
Yes
-
Nucleus 4
-
5
Description
There is a security issue, when creating different editor groups, which should allow editing of specific parts of a site
Steps to reproduce
- Login demo.magnolia-cms.com
- In the Security App, edit the userrole "/travel-demo-editor"
- Change Website ACLs
- Read-Only - Sub nodes - /
- Read/Write - Sub nodes - /travel/about
- Change Website ACLs
- Log in as "eric"
- Eric doesn't have the rights to open edit mode of /travel/about (which is correct)
- Open edit mode of /travel/about/company (works correctly too)
- Change the URL to:
https://demo.magnolia-cms.com/.magnolia/admincentral#app:pages-app:detail;/travel/about:edit - Check Eric now can edit /travel/about page
Expected results
Eric can't edit /travel/about even directly accessing through URL
Actual results
Eric can edit /travel/about by directly copying the URL on the browser
Workaround
Set read only for ares of /travel/about as well.
Development notes
Probably as far as main area and rest of elements are subnodes of /travel/about path, then they can be edited (the ACL setting affects to subsides of /travel/about).
Acceptance criteria