Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protected assets are viewable if embedded outside a WYSIWYG #468

Open
brynwhyman opened this issue Sep 6, 2021 · 2 comments
Open

Protected assets are viewable if embedded outside a WYSIWYG #468

brynwhyman opened this issue Sep 6, 2021 · 2 comments
Labels
affects/v4 complexity/low impact/medium type/bug

Comments

@brynwhyman
Copy link

Overview

It appears that protected assets are still able to be accessed by anonymous users if these protected assets are embedded in a page outside of a WYSIWYG field, for example in the default 'file block' created to embed files on a page.

Whereas, if you add a protected file to a page via a WYSIWYG field, when a user who does not have permissions to accesses that file attempts to view it, they will correctly see a broken image link.

It could be expected that this exposes the following scenario:

  • A site has a large number of CMS content editors (who can view draft pages)
  • A special page has been drafted to publicise a still-to-be-released sensitive report. The report has strict view permissions so only a small group of users can view it. It has been added to the draft page for download via a 'file block'
  • While the intention is for this report to be inaccessible by the majority until it is made public, it will actually be accessible by everyone who has access to the draft page, outside of the group with permission to view it.

Steps to recreate

  1. Add a file to the Files area, set 'Who can view this file' to "Only logged-in users"
  2. Create a blocks page, add a File Block, add the new file to the block, save and publish the page.
  3. In an incognito browser, view the publish page.
  4. Expected result: The file should not be visible as you are not logged-in
  5. Actual result: The file can be viewed by people outside of the view group, in this case, 'anonymous users'.

Related issues
@michalkleiner
Copy link
Contributor

Is it possible that the File block owns the file and therefore publishes it? Is the file itself published with limited permissions or kept only in draft? What is the state of the file after publishing the page?

@brynwhyman
Copy link
Author

Hey @michalkleiner, the publish will cascade to the file but even so the file has access permissions on it that should restrict who can view the file.

In contrast, using a WYSIWYG field, the following works as expected:

  1. Add a file to the Files area, set 'Who can view this file' to "Only logged-in users"
  2. Create a blocks page, add a Content Block, via the WYSIWYG using the 'Insert from Files' option to add the new file, save and publish the page.
  3. In an incognito browser, view the published page.
  4. The file should not be visible as you are not logged-in (as expected)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects/v4 complexity/low impact/medium type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michalkleiner @maxime-rainville @brynwhyman