You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The wagtail.admin.views.pages.revisions_view view (which displays a preview of a page at a given revision number, as linked from the page revision listing) does not apply any permission checks other than user_has_any_page_permission (which only checks that they have add/edit/publish/lock permission somewhere in the page tree):
This means that if a Wagtail editor is able to guess a page ID and corresponding revision ID, they would potentially be able to view private pages that they would otherwise have no access to.
The view_draft view explicitly checks for edit or publish permission on the requested page, and it would make logical sense to do the same here.
The
wagtail.admin.views.pages.revisions_view
view (which displays a preview of a page at a given revision number, as linked from the page revision listing) does not apply any permission checks other thanuser_has_any_page_permission
(which only checks that they have add/edit/publish/lock permission somewhere in the page tree):wagtail/wagtail/admin/views/pages.py
Lines 1177 to 1183 in 268df8c
This means that if a Wagtail editor is able to guess a page ID and corresponding revision ID, they would potentially be able to view private pages that they would otherwise have no access to.
The
view_draft
view explicitly checks for edit or publish permission on the requested page, and it would make logical sense to do the same here.wagtail/wagtail/admin/views/pages.py
Lines 586 to 588 in 268df8c
The text was updated successfully, but these errors were encountered: