Today i noticed that when using alt template the allowed templates (for that documenttype) is bypassed, this means that any template can be used on any item.
In 99% of the cases this is no problem, but in some cases it can be, IE when you make a viewreport template, which displays sensitive data, and you use that template on a secured node, the template can still be used on a an other page, so keep this in mind, when you are developing templates!
When I did the Level 2 course, Niels commented on this as being by design, and leaving it up to the developer to make sure that security scenarios like thses doesn't happen.
Alttemplate problem (possible security flaw?)
Today i noticed that when using alt template the allowed templates (for that documenttype) is bypassed, this means that any template can be used on any item.
In 99% of the cases this is no problem, but in some cases it can be, IE when you make a viewreport template, which displays sensitive data, and you use that template on a secured node, the template can still be used on a an other page, so keep this in mind, when you are developing templates!
I agree, alternate templates should honor the list of specifically allowed templates for a docType. Can you add this to Codeplex as a bug report?
cheers,
doug.
Ok Douglas, will submit this.
http://umbraco.codeplex.com/WorkItem/View.aspx?WorkItemId=24581
When I did the Level 2 course, Niels commented on this as being by design, and leaving it up to the developer to make sure that security scenarios like thses doesn't happen.
is working on a reply...