Security problem CMS subsite view
intwebg opened this issue · 4 comments
A member can access and see all the contents of all subsites if he knows the domain names that are configured in the CMS. He can't change any information but he can see all configurations, text, draft pages. (view only)
A related problem : If a member with a defined subsite connect throught the main site domain, he will see the content of the main site in view only.
I think this is a duplicate of the bug report here, quoting a slightly different scenario: #434
It's clearly a bug with Subsites, but this is a limitation that is not a regression (nor clearly defined in the module documentation).
Looks like the other but I can't confirm totaly because I don't know very well this module. I have another observation. If I uncheck «Access to 'Pages' section» for the group I have created with the user and login with user informations, I'm redirecting directly to the subsite I have selected into the permissions. Now I can't see nothing from other subsites. And when I try to change subsite from the address bar «?SubsiteID=2», I can't access to. So now it works partially because I can't see the site tree to create/modify/delete pages.
Checking for any progress on this? It is a major limitation of the module that the security permissions don't work correctly. Also it isn't possible to restrict access of users to only the main website, when you don't select a sub site for them to access it removes the dropdown from the admin panel but they can log into any of the other admin area via the domains.
Any update about this problem? I think it should really not be possible to log in to CMS via other subsites.