The expected result and the actual result are the same ??

No the expected result and the actual result is not the same.

It doesn't matter what the article setting is set to. The behaviour is the same.

Global: No
Menu: Use Article settings
Article: Yes
The Article setting of Yes is used
Not logged in visitors see intro text in Category/featured blog

Global: No
Menu: Use Article settings
Article: No
The Article setting of No is used
Not logged in visitors see intro text in Category/featured blog

No the expected result and the actual result is not the same.

I am referring to the report where the two are the same. It is hard to comment without knowing what you "think" the expected result is supposed to be.

@Webdongle If you truly believe this to be a security risk (and I still dont know what you are expecting) then you really should have known better to post a security issue in public

@brianteeman
Thanks have edited the post. had forgot to alter it after copy/paste.

Expected result
Viewing from the frontend the The Article intro text should not be shown to non logged in visitors

Actual result
Viewing from the frontend the The Article intro text IS shown to non logged in visitors

The expected behaviour:

The Article setting of Yes is used
Not logged in visitors see intro text in Category/featured blog

The Article setting of No is used
Not logged in visitors should NOT see intro text in Category/featured blog

The actual behaviour is as mentioned before:

The Article setting of Yes is used
Not logged in visitors see intro text in Category/featured blog

The Article setting of No is used
Not logged in visitors see intro text in Category/featured blog

The behaviour is the same regardless if the Article setting is Yes or No.

Is this the same issue as #21407

Looks like but have also spotted that (in featured/category blog) 'Use Article setting' for 'Show Title' is not working either.

For some reason the 'Use Article setting' is being ignored and the Global setting is being used instead of the Article setting.

Perhaps the code that initiates the 'Use Global' is being used when 'Use Article setting' should be used?

This is a security issue as far as the end user is concerned. Sensitive content could inadvertently be displayed to the public.

Unlike the other reports .. I am using the Protostar Template

Surely that refers to security issues that allow exploits. This is not that type of security issue.

ACL violations are security issues in that someone gaining unauthorized read access to parts of the system is an information leak. This exact scenario is the example used in the impact table on https://developer.joomla.org/security.html. Security issues are not isolated to only malicious code exploits.

@mbabker @brianteeman

Done

Is this the same issue as #21407

After a quick glance it looks like it might be the same issue.

As I've mentioned in the thread at the Joomla Forum, the "Use Article Setting" in the Menu settings doesn't make sense from a logic point of view. I found the following comment that might explain why.

Based on code history, 'Use Article Setting' option was added to menu items by mistake 014b52f#diff-6ffd3a7d782585864181873aea4c2c1fR306.

From a logical point of view it would make more sens that the the setting at the Global level is inherited to the Menu level and the settings at the Menu level is inherited to the Article level, then the "Use Article Setting" could be omitted.

Since the intro of articles, which are restricted to registered users, are shown even when the setting at the Article level of "Show Unauthorised Links" is set to No, which shouldn't be the case. This make me think that the problem might be the SQL query.

Unfortunately, I don't know how the system is built, but it would be of interest to see how the SQL query looks.