[2.3 beta] Authors can edit sections via "Edit Section" button

[nickdunn]

Has it always been the case that an Author (not Developer) can modify sections by guessing the URL?

In 2.3 beta there is an "Edit Section" button in the entry listing view which is shown to authors as well as developers, even though the Blueprints menu is hidden.

Edit: also, the "Sections" label in the breadcrumb on the section editor leads to a 404 for authors. So I'm guessing that they should never get here in the first place.

[brendo]

The button shouldn't appear to Authors, so that's the first bug.

The second is a familiar situation. Previously you could guess the URL of a hidden section for the entries table, in 2.2 I changed this behaviour so if a section was hidden, it'd 404. In 2.2.3 (IIRC), we reverted the behaviour back as we concluded that the hide/show feature is more of a visual thing, rather than enforcing access rules.

Editing sections is a whole different ball game though, so I agree, Authors shouldn't be allowed to guess such URL's.