Bug report
Summary
When user creates link to internal resource either searching or selecting from page tree, both GetTreeProcessor.php and SearchProcessor.php returns all resources without checking for user permissions (resource groups). So one can see resources normally hidden in left manager tree.
Step to reproduce
Create resource group with "load only" permission for ordinary users in mgr context. Put resource to this group. Ordinary users should not see it in manager tree. But they see it using search or page tree in create link modal in TinyMCE.
Quick fix
In /core/components/tinymcerte/src/Processors/SearchProcessor.php I have changed bottom part:
$results = [];
if ($c->prepare() && $c->stmt->execute()) {
// added check for resource visibility to user
while($r = $c->stmt->fetch(PDO::FETCH_ASSOC)) {
$res = $this->modx->getObject('modResource', $r['id']);
if ($res->checkPolicy('view')) $results[] = $r;
}
//$results = $c->stmt->fetchAll(PDO::FETCH_ASSOC);
}
return $this->outputArray($results);
Something similar should be possible in GetTreeProcessor.php
Bug report
Summary
When user creates link to internal resource either searching or selecting from page tree, both GetTreeProcessor.php and SearchProcessor.php returns all resources without checking for user permissions (resource groups). So one can see resources normally hidden in left manager tree.
Step to reproduce
Create resource group with "load only" permission for ordinary users in mgr context. Put resource to this group. Ordinary users should not see it in manager tree. But they see it using search or page tree in create link modal in TinyMCE.
Quick fix
In /core/components/tinymcerte/src/Processors/SearchProcessor.php I have changed bottom part:
Something similar should be possible in GetTreeProcessor.php