Security BUG - user without publish right can publish
Umbraco Version: 4.7.0
asp.net version:4.0.30319.1
Windows and iis version: Win2008 IIS 7.5
Stacktrace: N/A
A detailed description of what you did before the issue happened: create user of writer
type, login as "writer" user, create document and set "Publish at" date
as today, press "save", wait few seconds/minutes and document will be
published automaticaly even ommiting required fileds
This should definately go to codeplex as Kim says - please post the link to the issue in here so others who come accross this bug in here is more likely to go and vote it up on codeplex.
I have just tried to do the steps you described and I'm able to reproduce it.
I hate to dig up the past here, but I am having the exact same issue with one of our client websites. Despite the writer not having the security permissions to publish, they can override this by setting a "Publish At" date and then clicking Save and Send For Approval. The end result is that the content is published without the approval process.
Was this bug ever resolved? The codeplex website link is dead.
Security BUG - user without publish right can publish
Hi Erni
I think you should report this issue on Codeplex if it's not already there. Maybe if you're lucky it can be changed before v4.7.1 goes out then.
/Kim A
Hi Erni
This should definately go to codeplex as Kim says - please post the link to the issue in here so others who come accross this bug in here is more likely to go and vote it up on codeplex.
I have just tried to do the steps you described and I'm able to reproduce it.
/Jan
Hi,
Actually there is a workitem on this already: http://umbraco.codeplex.com/workitem/22251
Vote it up! You might also post your steps to reproduce there as well.
-Tom
Ahh nice find Tom. Just gave it my vote.
/Kim A
Thanks guys, I gave them some comments there already and voted also.
We will see how it will go on..
I hate to dig up the past here, but I am having the exact same issue with one of our client websites. Despite the writer not having the security permissions to publish, they can override this by setting a "Publish At" date and then clicking Save and Send For Approval. The end result is that the content is published without the approval process.
Was this bug ever resolved? The codeplex website link is dead.
Umbraco version is: v4.11.9
Thanks very much.
William
is working on a reply...