Groups with access to single subsite can create draft pages on other subsites

[ornatipinnis]

This seems to be an issue that I cannot resolve through the Groups and Roles interface and seems to be a bug with how Subsites works.

I have a basic site (SS4.4) running subsites with the following:

main site

• subsite: Hutt
• subsite: Wellington

I create a group called Wellington and one called Hutt within each subsite and provide them both with the following permissions:

• Access to 'Pages' section
• Access to 'Files' section

I then set the permissions on Wellington and Hutt so that they can only access a certain subsite (Wellington group can only access Wellington Subsite etc)

I then visit the Wellington sites URL and log in as the Hutt Member and I can view the admin section of the site with the following section options:

• Pages
• Files

I can click into Pages and view the sitetree for a site that I shouldn't be able to access. I can also use the Add new button and add draft pages to the site that the user should not be able to access.

If I set the permissions for a group to only be able to access a single sub site then I wouldn't expect that user to be able to view the sitetree or add draft pages to a sitetree on another subsite.

[ScopeyNZ]

Almost certainly the same problem as reported here: #358

[ornatipinnis]

Almost certainly the same problem as reported here: #358

This issue didn't involve sub-groups or roles

[ScopeyNZ]

Yeah - but the problem uncovered in that issue highlighted some pretty major flaws in how subsites handles permission validation.

[ornatipinnis]

Yeah - but the problem uncovered in that issue highlighted some pretty major flaws in how subsites handles permission validation.

Thanks for the update. Any idea if/when this will be looked at? This is a little bit concerning, especially as this is offered on the CWP platform.

[ScopeyNZ]

It has been looked at in the past but is a pretty nuanced problem (see #388). I'm not sure when it will be looked at again. I understand that it's part of the CWP product but we have over 90 modules that we support as part of CWP so it can be difficult.

[ornatipinnis]

It has been looked at in the past but is a pretty nuanced problem (see #388). I'm not sure when it will be looked at again. I understand that it's part of the CWP product but we have over 90 modules that we support as part of CWP so it can be difficult.

Maybe you should reduce the number of modules offered if you do not have the capacity to support them.

[NightJar]

Thank you for the report.
This is an open source module, and if you feel you have the ability to contribute, we would welcome the help and provide guidance if necessary.

If you are unable to assist, then this is a question not of capacity, but of priority.
I'm sure given the severity of this issue that the priority will be increased, however time-frames are not something we can comment on.