Menu
▾
▴
#10 Records incorrectly displayed in 'Recently Added Items'
There appears to be no way to prevent display of the title of objects in 'Recently Added Items' that can't be viewed. For an authenticated user with no Lister rights, the names of communities, collections and records still display. This has major security implications for highly sensitive material - if records, communities or collections cannot be viewed by a particular user, they should never display.
See attached screenshot. The 'Secret Squirrel' record is in the 'I'm secret' collection which is in 'Matt Community'. The logged in user has no rights for Matt Community and all child rights are inherited.
Logged In: YES
user_id=485632
Originator: YES
Okay, tried this in trunk, revision 1426 and different (better) but still wrong behaviour exhibited:
SETUP
Two users:
Matt Painter Secure
Matt Painter Not-So-Secure
Two communities:
Secure community
Insecure community
Security rights:
Secure community - Lister = Matt Painter Secure, Viewer = Matt Painter Secure
Insecure community - no rights set
Each community has a collection and a record, and all are set to inherit security from parents.
After running cache_recent_items.php, the following displays:
Matt Painter Secure
Insecure Image (note: not clickable)
Insecure Collection
Insecure Community
Matt Painter Insecure
Insecure Image (note: not clickable)
Insecure Collection
Insecure Community
Administrator (default admin user)
Insecure Image (note: clickable)
Insecure Collection
Insecure Community
Even after selecting all three users as a Lister for the Secure Community, it still doesn't display in Recent Items.
Further to this, I've noted some inconsistency:
Display of Recent Items:
Insecure Image
Insecure Collection
Insecure Community
Secure Image
Secure Collection
Secure Community
Insecure Image
Insecure Collection
Insecure Community
Insecure Image
Insecure Collection
Insecure Community
Secure Image
Secure Collection
Secure Community