This Security Update fixes a problem with object relation visibility. Related objects could be displayed even when the user did not have read access to them. After this update, the default templates are modified. The relations are object based, so the related objects are displayed if ANY of their nodes are readable by the user. Any custom templates you use will need to be modified in the same way, if you need this visibility check. Please refer to the following documentation:
Some background information
As these features has never cared much about permissions, we decided to look to ezxmltext for how to solve this. And in ezxmltext this is solved in the output layer, a layer between the datatype and the templates. Relation datatypes does not have such a layer, so we solved it in the templates and plan to solve it more natively in "5.x" (aka new stack).
Potential followup enhancements we should all look into in the future is:
- [Legacy kernel] Change templates it to use ( can_read || can_view_embed ) instead of only can_read to align behavior with ezxmltext
- [5.x kernel] Add a (embeddable) relations view that can in a more performing way display content and/or field relations
- [5.x Editorial UI]: Better define the expected behavior, for instance should the editor be warned like is attempted in ezoe when relation is not accessible to current user?
We have also received feedback that the legacy approach should be changed to use a signal content relation fetch which deals with visibility and permissions instead of checks inline in the loops, this would be beneficial in many ways and contributions to make this possible is more then welcome.
Patch for eZ Publish: https://github.com/ezsystems/ezpublish-legacy/commit/c5ccb6793ee4992eeef22cabc5af5f1fbe02392b