Hello Community,
while fixing Locator shows unpublished first page as "Home" I've noticed that $s ignores the publishing status of pages, i.e. even if the requested page is unpublished, $s is set as if it wasn't. One issue that is caused by this faulty behavior can be seen in the locator. Requesting an unpublished page shows the same output as if the page was not published, while requesting a non existant page shows "Error 404: Not found". Actually, this is an Information Exposure Vulnerability (albeit a minor one), because a visitor must not be able to find unpublished pages.
I have fixed that with r1462+r1463.
However, this raises a new issue: after switching an unpublished page to view mode, switching to edit mode will change to the first page. This happens because of the first if statement in XH_adminMenu() (by the way, I'm not sure why $su is reset here; seems somewhat strange). Fixing the issue is likely to require another global variable[1], which would either store the indexes of unpublished pages ($hc style), or flags signalling whether a pages is hidden ($h style). OTOH, this variable would simplify the $_XH_firstPublishedPage detection, and could even used to get rid of $_XH_firstPublishedPage, but this variable might already be used by custom code. So, I'm not sure whether we should regard this issue as a bug, or merely as an improvable behavior[2] (similar to the "No page selected" message which pops up from time to time in edit mode).
[1] More generally, it requires global state, but PHP 4 doesn't allow to tag a class member as static, while PHP 5 throws an E_STRICT if a non statically declared member is accessed statically.
[2] While we have a regression against former CMSimple_XH versions, classic CMSimple behaves as XH with these patches.
$s ignores publishing status of pages
$s ignores publishing status of pages
Christoph M. Becker – Plugins for CMSimple_XH
Re: $s ignores publishing status of pages
I tend to "improvable behaviour", as it reacts exactly as defined if I change to view mode.
Re: $s ignores publishing status of pages
+1manu wrote:I tend to "improvable behaviour", as it reacts exactly as defined if I change to view mode.
Re: $s ignores publishing status of pages
Okay. I have put this issue on the 1.7 roadmap.
Christoph M. Becker – Plugins for CMSimple_XH