Bug #42606
Content Security with nested objects
| Status: | New | Start date: | 2012-11-01 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | Security | |||
| Target version: | - | |||
| PHP Version: | Complexity: | |||
| Has patch: | No | Affected Flow version: | Git master |
Description
I think there is a strange bug in the content security
Initial situation:
3 Models
- Product
-- Category
--- Tutorial
The Product Model includes the categories and the categories the tutorials
With FLUID i can do something like that (3 nested for-loops)
<f:for each="{products}" as="product">
<f:for each="{product.categories}" as="category">
<f:for each="{category.tutorials}" as="tutorial">
{tutorial.title} (Disabled: {tutorial.disabled})
</f:for>
</f:for>
</f:for>
The Tutorial Model has a disabled class var which includes a boolean.
My Policy.yaml has the following content
resources:
entities:
Kj187_Tutorials_Domain_Model_Tutorial:
Kj187_Tutorials_Domain_Model_Tutorial_Disabled: 'this.disabled == TRUE'
The problem is, it doesnt work with 3 (or more) nested loops. I get all tutorials, all with 'disabled equals 1' and all with 'disabled equals 0'.
If i get only the categories via repository and do something like that
<f:for each="{categories}" as="category">
<f:for each="{category.tutorials}" as="tutorial">
{tutorial.title} (Disabled: {tutorial.disabled})
</f:for>
</f:for>
it works!
Another problem is that i can call a tutorial with 'disabled = 1' directly (http://local.domain/PRODUCT/CATEGORY/TUTORIAL.html) without any problems ?!
History
#1 Updated by Julian Kleinhans almost 3 years ago
Wrong issue infos!
It doesnt work also with only 1 nested loop!
#2 Updated by Karsten Dambekalns over 2 years ago
- Affected Flow version changed from Git 1.2 (master) to Git master