Skip to content

Custom menu pages title leaked when access is deined #6416

New issue
New issue
Closed
#6417
Closed
Custom menu pages title leaked when access is deined#6416
#6417
Labels
bug
Milestone
v3.3
@kewisch

Description

@kewisch
kewisch
opened on Jun 24, 2024

Describe the bug
The custom pages you can add to event menus all have an id. You can cycle through them by visiting e.g. https://events.example.com/event/12/page/345 which will redirect to https://events.example.com/event/12/page/345-sekrit-page . If the user doesn't have permission for that page, they can still read the title via the URL slug.

To Reproduce
Steps to reproduce the behavior:

  1. Create custom pages that have access restrictions
  2. Visit the URL in a private window
  3. See redirected URL title

Expected behavior
Access restrictions should be applied before the redirect occurs. If the user has no access, the URL should not redirect.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions