We have moved to GitHub Issues
Created by Danny Drogt 07 Jul 2016, 10:24:40 Updated by Ferdy Hoefakker 03 Nov 2016, 11:28:38
I created two Document Types, Website and ContentPage. I assigned Website as "Allowed at root", and assigned ContentPage as an allowed child Document Type of Website.
When I add a new child to a top-level content item of type Website, that list shows only ContentPage as expected. It is, however, possible to change the "doctype" querystring parameter to "Website" and save and even publish a content item of type Website under the Website, although it is not allowed.
This is due to no server-side validation in ContentController.PostSave(), which is present in for example PostMove and PostCopy. I understand this might be a kind of edge case, seeing as you need querystring manipulation, but it is a very simple one.
This also brings up another question for me:
This is not restricted to simply the doctype. You can even manipulate the parent node this way and thus add ANY doctype to ANY node.
This should probably be checked upon both page load and post data.
Backwards Compatible: True
Affected versions: 7.4.3
Due in version: