-
Bug
-
Resolution: Not an issue
-
Neutral
-
None
-
None
-
None
As reported by tmiyar in Slack
[...] We think we might have a security issue here
https://git.magnolia-cms.com/projects/MODULES/repos/rest/browse/magnolia-rest-content-delivery/src/main/java/info/magnolia/rest/delivery/jcr/v2/JcrDeliveryEndpoint.java#349
reference should not be retrieved in system context.
Let’s say I’m user that has read permissions on website workspace but does NOT have read permission on categories workspace.
If category is referenced in some page, reference will be resolved and category will be returned to me (because of the system context).
Acceptance criteria
- is related to
-
CAMPMAN-31 Preview as visitor broken in headless scenario
- Closed