Related pages linking feature has a bug with publishing pages (SS4)

[Veronica-davidraj]

Steps to reproduce:

-Create page A and page B
-Link both pages via related pages tab

When testing the scenario above we found a security issue with the related pages tab.

Page B(Draft) gets attached to Page A(Published) via the related pages tab then Page B automatically gets published when Page A is published again.

[maxime-rainville]

@Veronica-davidraj Thanks for reaching out. For future reference, if you come across an issue you think as security implications, please email [email protected] first. You can find more information about Reporting security issues is our official doc.

In this specific case, we agree this is a bug. We don't think it's worth treating it as a security issue however.

You would need to have CanView permissions on Page B to view its content even after publishing it. Presuming you have CanView permission on Page B without CanEdit, you would still be able to view the draft content. You could just take that draft content and copy-paste it on a page you can publish.

[maxime-rainville]

The problem here is that "Related pages" is a $owns relation. That doesn't make much sense.

My guess is this something we could ship in a minor release, but probably not in a patch release. Would we be comfortable sneaking this one into 4.13 post beta? If not, it will have to stay like this in CMS 4, and will only be shipped in CMS5.