Backend: Create a new article with access "Registered" and type "THIS IS SECRET".
Frontend: without being logged in, in smart search start typing "THI.."
No suggestion is shown since the sentence is not accessible to unlogged users
Smart search shows up "THIS IS SECRET" as a suggestion, while it should not since the content access is just for registered users. Infact, if you type "THIS IS SECRET" in the search box and hit "search", it will not find no occurrence, since the content is not visible to public/guests.
Joomla 3.4.5 on Windows XAMPP
See also: https://issues.joomla.org/tracker/joomla-cms/4401
i have tested it works properly
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-08-07 11:40:39 |
Closed_By | ⇒ | brianteeman |
Closing as this can no longer b replicated. It must have been fixed elsewhere
It is NOT fixed, the test of tomartailored probably is not correct. I tested also on Joomla 3.6.2 and I am still getting suggestions of words in articles with access limited to registered - NB I refer to suggestions, not to search results that work fine, infact the user receive a suggestion while typing as the word/sentence do exist, then press Enter and no result.
This bug / lack of filter is against privacy/security since it shows restricted content.
I tested this myself with Joomla 3.6.2, following your instructions and could not replicate
This is a known issue and has been since before the first release. It is documented that anyone who wants words from restricted articles to not be shown in the autocompletion should not use autocompletion.
A PR to fix the issue would be welcome, however a general fix is unlikely to be simple (which is probably why nobody has come up with a PR so far).
Ok, so che problem is confirmed (probably Brian hasn't tested the autocomplete feature that I was making as "suggestions as you type") :).
Since it's hard to overcome now but I think it's a serious hole in security (you think of hiding information and the autocompleter even suggests you the following words :) ), at least I would add a warning / tooltip when enabling autocomplete that warns about this. Can be done?
Language filter is respected, access level not, I think it should be noticed in backend.
I think this is a known limitation of the implementation for word completing (suggestions),
which gives fast server response but does not take into account things
There is PR to consider publication status and access when the index is being used here:
#4401
i have not tested if it works or the performance of it