SS-2015-019: Leaky draft stage risk
- Severity:
- Low (?)
- Identifier:
- SS-2015-019
- Versions Affected:
- 3.2 and below
- Versions Fixed:
- 3.3.0-beta1
- Release Date:
- 2015-12-23
In some cases, user code which applies Versioned extension to DataObjects may expose non-public content, unless an appropriate canView is implemented which checks access for the current stage.
This is a risk in cases that the site is put into staging mode by an unauthenticated user.
In 3.3.0 versioned dataobjects will now automatically have a default security model which denies draft access to public users, and directly blocks access to the stage mode via the querystring.
This is accepted as not a security bug but rather a risk to mitigate common errors in user code which fail to address appropriate permission checks. Please read the security documentation on versioning for more information on how site developers can secure their code.