?
avatar Giuse69
Giuse69
12 Dec 2015

Steps to reproduce the issue

Backend: Create a new article with access "Registered" and type "THIS IS SECRET".
Frontend: without being logged in, in smart search start typing "THI.."

Expected result

No suggestion is shown since the sentence is not accessible to unlogged users

Actual result

Smart search shows up "THIS IS SECRET" as a suggestion, while it should not since the content access is just for registered users. Infact, if you type "THIS IS SECRET" in the search box and hit "search", it will not find no occurrence, since the content is not visible to public/guests.

System information (as much as possible)

Joomla 3.4.5 on Windows XAMPP

Additional comments

Votes

# of Users Experiencing Issue
1/2
Average Importance Score
3.50

avatar Giuse69 Giuse69 - open - 12 Dec 2015
avatar ggppdk
ggppdk - comment - 19 Dec 2015

I think this is a known limitation of the implementation for word completing (suggestions),
which gives fast server response but does not take into account things

  • such as access and publication status

There is PR to consider publication status and access when the index is being used here:
#4401
i have not tested if it works or the performance of it

avatar chrisdavenport
chrisdavenport - comment - 8 May 2016
avatar tomartailored
tomartailored - comment - 21 Jul 2016

i have tested it works properly


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8655.

avatar brianteeman brianteeman - change - 7 Aug 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-08-07 11:40:39
Closed_By brianteeman
avatar brianteeman
brianteeman - comment - 7 Aug 2016

Closing as this can no longer b replicated. It must have been fixed elsewhere


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8655.

avatar brianteeman brianteeman - close - 7 Aug 2016
avatar Giuse69
Giuse69 - comment - 9 Aug 2016

It is NOT fixed, the test of tomartailored probably is not correct. I tested also on Joomla 3.6.2 and I am still getting suggestions of words in articles with access limited to registered - NB I refer to suggestions, not to search results that work fine, infact the user receive a suggestion while typing as the word/sentence do exist, then press Enter and no result.
This bug / lack of filter is against privacy/security since it shows restricted content.

avatar brianteeman
brianteeman - comment - 9 Aug 2016

I tested this myself with Joomla 3.6.2, following your instructions and could not replicate

avatar chrisdavenport
chrisdavenport - comment - 9 Aug 2016

This is a known issue and has been since before the first release. It is documented that anyone who wants words from restricted articles to not be shown in the autocompletion should not use autocompletion.

A PR to fix the issue would be welcome, however a general fix is unlikely to be simple (which is probably why nobody has come up with a PR so far).

avatar Giuse69
Giuse69 - comment - 10 Aug 2016

Ok, so che problem is confirmed (probably Brian hasn't tested the autocomplete feature that I was making as "suggestions as you type") :).
Since it's hard to overcome now but I think it's a serious hole in security (you think of hiding information and the autocompleter even suggests you the following words :) ), at least I would add a warning / tooltip when enabling autocomplete that warns about this. Can be done?

avatar Giuse69
Giuse69 - comment - 10 Aug 2016

Language filter is respected, access level not, I think it should be noticed in backend.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8655.

Add a Comment

Login with GitHub to post a comment