The eZ Publish 3.9.3 and 3.8.9 releases fix a security issue of high severity. These releases also fix several reported bugs. Insufficient permission checking on views without a policy function defined
Insufficient permission checking was done on module views that do not have a policy function defined. This could cause problems in modules where views with a policy function were mixed with views without a policy function. This flaw made the discount functionality in the shop module vulnerable. Sites where users have explicit permission to policies in the setup module could also be vulnerable. All users using the discount functionality in the shop module or that have defined roles with explicit policies in the setup module are encourage to upgrade to the corresponding release. Also, users with sites containing views with and without policy functions in the same custom module are encouraged to upgrade to the corresponding release or to update their custom code so that every view has a policy function defined. Information on how to define policy functions in views in custom code is described here: http://ez.no/doc/ez_publish/technical_manual/3_9/features/policy_functions See the changelogs for a complete list of fixed bugs: http://ez.no/download/ez_publish/changelogs/ez_publish_3_9/changelog_3_9_2_to_3_9_3 http://ez.no/download/ez_publish/changelogs/ez_publish_3_8/changelog_3_8_8_to_3_8_9 The releases are available for download from our eZ Publish download page. http://ez.no/download/ez_publish Best regards, Vidar L -- Head of Development [EMAIL PROTECTED] | eZ systems | ez.no -- Sdk-public mailing list [email protected] http://lists.ez.no/mailman/listinfo/sdk-public
