SS-2015-019: Leaky draft stage risk

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: SS-2015-019
Versions Affected:: 3.2 and below
Versions Fixed:: 3.3.0-beta1
Release Date:: 2015-12-23

In some cases, user code which applies Versioned extension to DataObjects may expose non-public content, unless an appropriate canView is implemented which checks access for the current stage.

This is a risk in cases that the site is put into staging mode by an unauthenticated user.

In 3.3.0 versioned dataobjects will now automatically have a default security model which denies draft access to public users, and directly blocks access to the stage mode via the querystring.

This is accepted as not a security bug but rather a risk to mitigate common errors in user code which fail to address appropriate permission checks. Please read the security documentation on versioning for more information on how site developers can secure their code.