Security Bug: some pages can be viewed even when site access is set to "Members only"

Permalink
I refer to this setting
System & Settings > Permissions & Access > Site Access > Members - Only registered users may view the website.

I would expect that when this is selected, anonymous users cannot view any content except for the login page. This would be useful for a company intranet or private site of some kind.

But I've noticed several problems with this:

1. The permissions for individual pages can be overridden to allow "Anonymous" users.

2. Anonymous users can then actually access the page's content, although the page appears broken and a lot of the global areas are missing from the output.

3. Alarmingly, creating a new page sets it to publicly viewable BY DEFAULT.

(This is using simple permissions in Concrete 5.7.5.4)

Is this by design, or a bug?

simoneast
 
mesuva replied on at Permalink Reply
mesuva
1. This makes sense to me. You can set the site to be members only initially, and then selectively pick pages to be public (i.e. a 'Guest').

2. From my quick test, I'm seeing what I'd expect here. I'm just seeing content that is on that particular page, and items on the nav that I don't have access to aren't shown. Global areas are tricky to address in simple permissions mode, as they're not associated with a page as such, so I think not seeing them makes sense.

3. I couldn't replicate this.
I locked off the site to members only, I opened up a different browser and found I couldn't access any page (kicked to login). I then created a new page. In my logged out browser, I couldn't access that page when I manually tried to get to it.
I then tried both swapping the access back to public, as well as specifically assigning the guest permission to the new page - in both cases the access was granted to a non-logged in visitor.

So I'm not picking up a bug as such.

I'm wondering if you have something like varnish caching on your server and that's returning cached versions of pages instead of the actual site returning the correct response.
simoneast replied on at Permalink Reply
simoneast
OK, yes, I can see your points about #1. Unfortunately on a client's corporate intranet site with 100+ pages I've seen some pages default to being "public" and no idea how to actually check which ones are now public (none of them should be).

I'll have to do more testing on a clean install to see if I can replicate it, but here's a screenshot from the site that shows the default permissions for a page type, and then the permissions that were automatically applied when creating the page – note that it defaulted to allow anonymous users and also excluded the "SGS Staff" group from being able to edit it.

http://imagizer.imageshack.com/img922/9739/448Y2G.png...
mesuva replied on at Permalink Reply
mesuva
I think you might be missunderstanding the controls in your screenshot.
I believe the permissions on the left set permissions on being able to _edit the page type itself_. I.e. you wanted to be add a new block to the default page.

See the second heading refers to 'Permissions for all pages created of this type'. It's that section where the initial permissions would be configured for new page - but note the blue notice there - that doesn't apply in simple permissions mode.

So the two things you've connected with your arrow aren't the same things.

(I normally just use advanced permissions, so I could be misreading the screen myself.)
simoneast replied on at Permalink Reply
simoneast
OK, I see. Yes, perhaps you're right. That permissions section on the left seems to mix permissions for the page type itself and also pages of that type, hence my confusion.

We had some really weird bugs crop up on another site after enabling advanced permissions, so I'm super nervous about enabling it in this case. But I should experiment with it on a dev copy at some point.

Thanks so much for taking the time to respond. Appreciate it.
simoneast replied on at Permalink Reply
simoneast
And no, there's no varnish cache. There is CloudFlare but it doesn't normally cache HTML, and I think I tried it direct with the same result. But will try gather some more info when I have a few hours to dedicate to it.
simoneast replied on at Permalink Reply
simoneast
And I'm still not clear on what the "Members - Only registered users may view the website" setting actually does. If it doesn't actually restrict access at a global level, then is it supposed to:

- Disable anonymous "view" permissions for newly created pages (sets the default)?
- Disable anonymous "view" permissions for all existing pages?
andrew replied on at Permalink Reply
andrew
It sets the permissions the permissions at the root of the site to be viewable by Registered Users only. By default, this trickles down to all sub-pages. That's it. Then, if you override the permissions on an individual page, that page could be made viewable by Guests. But if you don't - it won't be.
simoneast replied on at Permalink Reply
simoneast
OK, thanks Andrew. So how can you tell if a page is overriding the defaults or not? I didn't notice anything mentioned on the Page Permissions screen. And is there a way to return a page so that it no longer overrides defaults?