Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

canArchive() is not called before archiving versioned links #291

Closed
GuySartorelli opened this issue May 27, 2024 · 1 comment
Closed

canArchive() is not called before archiving versioned links #291

GuySartorelli opened this issue May 27, 2024 · 1 comment
Assignees
@GuySartorelli
Labels
affects/v5 impact/medium type/bug

Comments

@GuySartorelli
Copy link
Member

GuySartorelli commented May 27, 2024
edited by emteknetnz
Loading

Note that this has been looked at from a security standpoint, and the CMS Squad has decided it does not constitute a security issue under our current security process.

‎‎LinkFieldController::linkDelete() checks canDelete(), but for versioned records it doesn't check canArchive. It does have version-aware logic to call doArchive() instead of delete(), so it should also use the correct permission check.

Acceptance criteria

  • For versioned links, the canArchive() permission method is called
  • For non-versioned links, the canDelete() permission method is called

PRs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GuySartorelli GuySartorelli

Labels
affects/v5 impact/medium type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emteknetnz @GuySartorelli