Details
-
Bug
-
Resolution: Fixed
-
Major
-
6.2.8
-
None
-
None
-
-
Empty show more show less
-
Yes
-
UI FW 33, UI FW 34
-
5
Description
Steps to reproduce
- create roles allowing only superuser to create "Travel Home" pages:
- Login with any "non-superuser" user
- Open Pages app
- (Notice that you cannot create a page of type "Travel Home", which is expected)
- Select an existing page of type "Travel Home" and select action "Move Page"
- Note that you are allowed to move the page literally everywhere
Expected results
Expectation is that "non-superuser" user is not allowed to move a page with the template that only superuser is allowed to create.
Actual results
"non-superuser" can move page of type "Travel Home".
Additional Input
Note that this is a regression from Magnolia 5.7.x as it worked there. This bug is reproducible on "Plain Magnolia" (e.g. https://demoauthor.magnolia-cms.com/ ).
The issue seems to be that info.magnolia.module.site.templates.ConfiguredSiteTemplateAvailability#isAvailable is not called when doing "Move Page" while it was called in Magnolia 5.7.x.
I set Prioriy to Major as this bug is security related.
Workaround
Legacy app works as expected, it can be used instead of the new app.
Development notes
Checklists
Attachments
Issue Links
- depends upon
-
MGNLUI-6812 Allow define DropConstraint for CanMoveRule
-
- Closed
-
