Pimcore: [proposal] shared includes snippets should not be publicly viewable as documents/web pages (potential security risk?)

Created on 7 Sep 2019  路  3Comments  路  Source: pimcore/pimcore

Bug Report

Expected behavior

Some documents, such as /en/shared/includes/footer, teasers, etc. are meant to be included by other "real" documents, but not viewable by itself.

e.g. https://demo-basic.pimcore.org/en/shared/includes/footer is only for internal use.

Actual behavior

https://demo-basic.pimcore.org/en/shared/includes/footer is visible.

Steps to reproduce

Visit https://demo-basic.pimcore.org/en/shared/includes/footer

picture ceefour

All 3 comments

Snippets are by design public available, that's not a bug, but we can discuss whether this makes sense or not, but in any way it would be a BC break.

brusch picture brusch on 9 Sep 2019
👍1

@brusch ok. I'd suggest on Pimcore 7 snippets should be private, unless there's a common use case it should be public?

Having them public could potentially be security risk. Documents can be secured with authentication, but maybe admins don't realize that snippets (with non public contents) need to be secured individually as well.

ceefour picture ceefour on 9 Sep 2019
👍1

I agree with @ceefour here. Guess the document router should just not pick up on Snippets outside the admin context. Wouldn鈥檛 even be a BC IMO since they shouldn鈥檛 be used publicly anyway

dpfaffenbauer picture dpfaffenbauer on 9 Sep 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

brusch picture brusch  路  5Comments
dkarlovi picture dkarlovi  路  3Comments
zeor59 picture zeor59  路  5Comments
brusch picture brusch  路  5Comments
NiklasBr picture NiklasBr  路  4Comments