Security Bug: some pages can be viewed even when site access is set to "Members only"
System & Settings > Permissions & Access > Site Access > Members - Only registered users may view the website.
I would expect that when this is selected, anonymous users cannot view any content except for the login page. This would be useful for a company intranet or private site of some kind.
But I've noticed several problems with this:
1. The permissions for individual pages can be overridden to allow "Anonymous" users.
2. Anonymous users can then actually access the page's content, although the page appears broken and a lot of the global areas are missing from the output.
3. Alarmingly, creating a new page sets it to publicly viewable BY DEFAULT.
(This is using simple permissions in Concrete 184.108.40.206)
Is this by design, or a bug?
2. From my quick test, I'm seeing what I'd expect here. I'm just seeing content that is on that particular page, and items on the nav that I don't have access to aren't shown. Global areas are tricky to address in simple permissions mode, as they're not associated with a page as such, so I think not seeing them makes sense.
3. I couldn't replicate this.
I locked off the site to members only, I opened up a different browser and found I couldn't access any page (kicked to login). I then created a new page. In my logged out browser, I couldn't access that page when I manually tried to get to it.
I then tried both swapping the access back to public, as well as specifically assigning the guest permission to the new page - in both cases the access was granted to a non-logged in visitor.
So I'm not picking up a bug as such.
I'm wondering if you have something like varnish caching on your server and that's returning cached versions of pages instead of the actual site returning the correct response.
I'll have to do more testing on a clean install to see if I can replicate it, but here's a screenshot from the site that shows the default permissions for a page type, and then the permissions that were automatically applied when creating the page – note that it defaulted to allow anonymous users and also excluded the "SGS Staff" group from being able to edit it.
I believe the permissions on the left set permissions on being able to _edit the page type itself_. I.e. you wanted to be add a new block to the default page.
See the second heading refers to 'Permissions for all pages created of this type'. It's that section where the initial permissions would be configured for new page - but note the blue notice there - that doesn't apply in simple permissions mode.
So the two things you've connected with your arrow aren't the same things.
(I normally just use advanced permissions, so I could be misreading the screen myself.)
We had some really weird bugs crop up on another site after enabling advanced permissions, so I'm super nervous about enabling it in this case. But I should experiment with it on a dev copy at some point.
Thanks so much for taking the time to respond. Appreciate it.
- Disable anonymous "view" permissions for newly created pages (sets the default)?
- Disable anonymous "view" permissions for all existing pages?