Front end preview as non-admin bypasses protection

[asaage]

That might be a duplicate of #567 but as that was closed 4 years ago without solution i suggest to change at least the wording.
Not only does that selection allow to show unpublished elements but also protected elements and pages.
In my use-case that's definitely a security issue - so i am going to disable the Frontendpreview completely for non-admin BE-users.
Any Info on that for contao4 is appreciated.

[fritzmg]

Element and page protection only applies to frontend users. Thus any backend user (regardless of whether he or she is an Admin) is able to view any such elements.

[asaage]

That would make clear, what is going on.
And the ability to turn this feature off in the security settings would be nice to have.

[fritzmg]

Having such an option wouldn't make any sense. Any backend user can see any element (given the appropriate access rights) in the backend regardless of its 'protected' state.

[asaage]

you name it: (given the appropriate access rights)

[fritzmg]

The access rights have nothing to do with the visibility in the frontend though.

[asaage]

just an example:
A BEuser of the public relation office who has the ability to edit some public gallery-sites with the appropriate pagemount should not be able to see protected content (which is edited by the business-management BEgroup) if he has no FE-Account that legitimates him to do so.
But under the present conditions he CAN with the help of the Frontend-preview. Therefore turning the Frontend-preview feature completely off totaly makes sense to me.

I have made the "show unpublished" only available for admin's in the be_switch template but as i can not imagine that my usecase is too special i think having a checkbox in the system settings would not be a big deal at all.

[fritzmg]

But under the present conditions he CAN with the help of the Frontend-preview.

Only if the backend user has the right to do so. If you disable the access to the frontend users for that backend user, he cannot view the frontend as any frontend user.

Otherwise if a backend user has access to the frontend users, he can log in as any frontend user, regardless of the preview mode.

[asaage]

he cannot view the frontend as any frontend user.

that is right.
but he can show the hidden elements (which are in fact the hidden and the protected ones)...

maybe i'm going to investigate more on that tomorrow.

[leofeyer]

What is the status of your investigation?

[asaage]

I still think it's a secuity-flaw
backend-user's should not get access to protected frontend-content but the show-hidden-dropdown allows for exactly that.
so it should at least be renamed to show-hidden-and-protected.

[leofeyer]

@contao/developers /cc

[aschempp]

I think the suggestion is valid, but hard to change because people are very used to it

1. Change BE_USER_LOGGED_IN to not change frontend access permission (only publishing).
2. Only allow frontend user login if the backend user has access to tl_member

So if you want to see certain frontend pages you need to login as that user. That's actually why there is such an option, because I usually login as a user but do not show unpublished content...

[leofeyer]

Changed in contao/core-bundle@426f714.