-
- 120 Posts
Does Ditto rss not respect web groups? I created a page that was for my eyes only, and did several verifications to make sure it wasn’t showing up for the public. It wasn’t showing up in any web pages or menus unless you were logged in with the proper credentials. Later, however, I discovered that it was showing up in my rss feed. Is this a bug, or am I missing something?
Thanks.
-
- 120 Posts
I’ve located at least one place in the ditto class that allows secured documents to get through to public results. It’s in the GetAllSubDocs method. This is one of two ways that the ditto class obtains documents. The other way is secure because it uses methods from modx’s DocumentParser class, which are already set up to check permissions on documents.
I’m attaching a proposed revised version of the ditto class. The only thing that I changed was the db query in the GetAllSubDocs method. Look it over and let me know what you think. This should solve the problem.
I’ll post this to the bug tracker as well.
Thanks... and great find.
Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
-
- 3,250 Posts
Thank you for uncovering this issue. I will make sure this gets repaired in the next release.
MODX Staff
