-
Bug
-
Resolution: Fixed
-
Major
-
6.2.8
-
None
-
None
-
-
Empty show more show less
-
Yes
-
UI FW 33, UI FW 34
-
5
Steps to reproduce
- create roles allowing only superuser to create "Travel Home" pages:
- Login with any "non-superuser" user
- Open Pages app
- (Notice that you cannot create a page of type "Travel Home", which is expected)
- Select an existing page of type "Travel Home" and select action "Move Page"
- Note that you are allowed to move the page literally everywhere
Expected results
Expectation is that "non-superuser" user is not allowed to move a page with the template that only superuser is allowed to create.
Actual results
"non-superuser" can move page of type "Travel Home".
Additional Input
Note that this is a regression from Magnolia 5.7.x as it worked there. This bug is reproducible on "Plain Magnolia" (e.g. https://demoauthor.magnolia-cms.com/ ).
The issue seems to be that info.magnolia.module.site.templates.ConfiguredSiteTemplateAvailability#isAvailable is not called when doing "Move Page" while it was called in Magnolia 5.7.x.
I set Prioriy to Major as this bug is security related.
Workaround
Legacy app works as expected, it can be used instead of the new app.
Development notes
- depends upon
-
MGNLUI-6812 Allow define DropConstraint for CanMoveRule
- Closed