Bug #37267
protected content nodes are rendered
| Status: | Resolved | Start date: | 2012-05-17 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | Christian Müller | % Done: | 0% |
|
| Category: | Frontend | |||
| Target version: | - |
Description
Nodes that are restricted to a role (accessRoles) are currently displayed even if the logged in user does not belong to the respective role.
Example:
1<node identifier="" type="TYPO3.TYPO3:Text" nodeName="someProtectedNode" locale=""> 2 <accessRoles> 3 <role>Administrator</role> 4 </accessRoles> 5 <properties> 6 <headline>Some headline</headline> 7 <text><![CDATA[ 8 <p>This should only be visible to Administrators.</p> 9 ]]></text> 10 </properties> 11</node>
The text is displayed even if the logged in user is not in the role "Administrator"
Associated revisions
[BUGFIX] Protected nodes can never be accessed
Due to a code fix in TYPO3CR a bug with fetching of access
protected nodes was uncovered that lead to non accessibility.
The problem was in Routing and PropertyMapping the
SecurityContext is not yet setup so roles are not available.
This change allows all nodes to be fetched from the TYPO3CR
during those early stages. So access protection must be checked
later (already implemented in the NodeController).
Related: #37267
Change-Id: If4e6bcaff73b136abf7435c19c49d31de73629dc
History
#1 Updated by Christian Müller about 3 years ago
- Status changed from New to Accepted
- Assigned To set to Christian Müller
#2 Updated by Aske Ertmann about 3 years ago
- Status changed from Accepted to Resolved
#3 Updated by Desh Bandhu over 1 year ago
Is there any way to give DENY permission to a node like we have DENY in flow's security context? Other way around: Do DENY permission exist for nodedata, I can see only accessroles?