U4-8705 - Able to create not-allowed Document Types through querystring manipulation

Created by Danny Drogt 07 Jul 2016, 10:24:40 Updated by Ferdy Hoefakker 03 Nov 2016, 11:28:38

I created two Document Types, Website and ContentPage. I assigned Website as "Allowed at root", and assigned ContentPage as an allowed child Document Type of Website.

When I add a new child to a top-level content item of type Website, that list shows only ContentPage as expected. It is, however, possible to change the "doctype" querystring parameter to "Website" and save and even publish a content item of type Website under the Website, although it is not allowed.

This is due to no server-side validation in ContentController.PostSave(), which is present in for example PostMove and PostCopy. I understand this might be a kind of edge case, seeing as you need querystring manipulation, but it is a very simple one.

This also brings up another question for me:

  • Should the allowed document types be enforced for admins? I think it might be really usefull to be able to "configure" for what UserTypes these rules are enforced. It would give admins/devs the possibilty to just add all kinds of content to the site structure that is relevant, but could restrain content editors from doing so. It would prevent constant back-and-forth modification of the allowed document types.


Ferdy Hoefakker 03 Nov 2016, 11:28:38

This is not restricted to simply the doctype. You can even manipulate the parent node this way and thus add ANY doctype to ANY node.

This should probably be checked upon both page load and post data.

Priority: Normal

Type: Bug

State: Submitted


Difficulty: Easy

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.4.3

Due in version:


Story Points: