Details
-
Bug
-
Resolution: Fixed
-
Critical
-
1.0 B1, 1.0 B2
-
None
Description
This is a major security issue, since a user can create a custom skin which outputs $doc.content, and thus can view the contents of a page he would not have access to.
The proper way of doing this:
- if the user has view rights, then $doc, $cdoc and $tdoc should all be set (right now – b2 – $tdoc is not set)
- otherwise, $doc, $cdoc and $tdoc should exist, but as shallow copies of the real document, holding only non-relevant information, such as name and web, and phony values for the other fields, like empty content, now() as creation and update dates, 1.1 as the version, etc.