You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a site where some users only have the View entries and Create entries permission for a section. They're supposed to only be able to create drafts for new or existing entries, but not publish them. In other words, they should not be able to do anything that immediately has an effect on the frontend.
However, through the entry index, they're still able to set the status to enabled or disabled, which takes effect immediately:
Screen.Recording.2025-03-31.at.11.38.30.mov
The dropdown is greyed out, but can still be interacted with, and apparently there is no server-side validation either.
Steps to reproduce
Give a user the permissions View entries and Create entries for any section.
Create an entry in that section and assign authorship to the newly created users.
Impersonate that user.
Go to Entries in the Control Panel and select an entry using the checkbox.
Click on Set status (which is greyed out) and select Disabled.
Expected behavior
The Set status dropdown should be completely disabled or not show up at all unless the current user has the Save entries permission (and Save other users’ entries if applicable).
There should be server-side validation to ensure the current user can only set the status for entries where they have the save permission.
Actual behavior
The status dropdown bypasses the above permission checks.
What happened?
Description
We have a site where some users only have the
View entriesandCreate entriespermission for a section. They're supposed to only be able to create drafts for new or existing entries, but not publish them. In other words, they should not be able to do anything that immediately has an effect on the frontend.However, through the entry index, they're still able to set the status to enabled or disabled, which takes effect immediately:
Screen.Recording.2025-03-31.at.11.38.30.mov
The dropdown is greyed out, but can still be interacted with, and apparently there is no server-side validation either.
Steps to reproduce
View entriesandCreate entriesfor any section.Entriesin the Control Panel and select an entry using the checkbox.Set status(which is greyed out) and selectDisabled.Expected behavior
Set statusdropdown should be completely disabled or not show up at all unless the current user has theSave entriespermission (andSave other users’ entriesif applicable).Actual behavior
The status dropdown bypasses the above permission checks.
Craft CMS version
5.6.13
PHP version
No response
Operating system and version
No response
Database type and version
No response
Image driver and version
No response
Installed plugins and versions