[MGNLADMLEG-9] Non-superuser is able to run legacy apps Created: 17/May/13  Updated: 24/Jun/13  Resolved: 24/Jun/13

Status: Closed
Project: Admininterface Legacy 4.x (closed)
Component/s: None
Affects Version/s: 5.0
Fix Version/s: 5.0

Type: Bug Priority: Major
Reporter: Jozef Chocholacek Assignee: Federico Grilli
Resolution: Fixed Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Date of First Response:

 Description   

A normal (non-superuser) user sees the app icons in Tools/Dev groups and is even able to run some of them. E.g. see logs, config info, flush caches, ...



 Comments   
Comment by Jozef Chocholacek [ 13/Jun/13 ]

"Fixed" somehow in RC1 - login form jumps out in the iframe, you can log in as superuser, but it breaks the current session.

Comment by Federico Grilli [ 24/Jun/13 ]

This seems to have been fixed for good. Apps visibility looks correct according to a user's permissions. Even trying to get directly to the old adminInterface by typing directly the URL in the browser i.e. http://author/.magnolia/pages/somepage.html as an unauthorised user won't make it accessible.

Generated at Sun Feb 11 23:08:41 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.