Serious critical bug with permissions on templates
News and General
I upgraded to EE 6 recently and never had issues with access permissions from EE 3, to 4 and 5 until now…
It seems the new roles features has some serious bugs. I say serious because this is a security risk, leaving critical areas of a site which the public or other members should not have access exposed out wide in the open.
I had all my template sites with specific login permissions and when I changed a member group, it seems it decided to reset the permissions on almost all templates for that group even when I changed something else for that member or group.
I did not open a bug on Github because I don’t know exactly what happen or triggered this.
Lucky me, it was on my dev installation, but I’m afraid to even modify a group permission or a member on the live installation as it tries to also change permissions on templates (not a desired behavior).
It seems when you go to edit a member role, all the templates for that role are also selected (but incorrectly) which means without checking you click save.
Did this happen when you changed the settings for the Group or for an individual template? Or were you updating a role through the Roles section and it changed stuff in templates? Obviously, this could be a pretty big issue so any screenshots, recordings, exact steps to replicate, etc would be extremely helpful
I changed something in the default Members role (just the description, nothing fancy), and it messed up the permissions on all templates for the whole site.
I was not expecting that since I only change permissions for template permissions directly on each template as required, it seems this is a new feature introduced in version 6 which allows you to mass update the permissions on all templates from the Edit Roles tab, but it relies on (I think JavaScript) something which I already found to be bugged. Except in this case, not having a template permission selected is rather critical (or even dangerous).
This clearly does not work for me, since I noticed other bugs (already confirmed on Github by other people) that there seems to be several issues with how checkboxes are loaded on v6 for settings. The settings don’t apply the proper value or don’t reflect them on several parts of version 6. The same checkboxes seem to be used on the Template Access in the new Roles tab, this is just something that will never work for me as I have thousands of templates.
When you go to a template and edit its permissions it only requires to load a few settings, in my case 10 roles for members. But from the Roles tabs it tries to load all templates in your installation, which are thousands + in my case. I’m not sure this idea was properly designed, not at least for big sites.
Unless I edit the settings on the database directly, I cannot edit any setting on a Role now because it will also load the Template Access tabs by default, which I don’t want or need here. I rather just keep editing access permissions directly on the Templates section like we always did on previous versions.