Enonic version: 7.14.4
Content studio version: 5.2.3
Hei,
I’ve noticed it is possible for editors to modify the sorting of nodes for which they have no edit permissions. The “Sort” button in the top menu is greyed out and inactive when it should be. However the sort button on the content node itself, which is visible whenever sorting has been altered before, is not inactive when it should be. So one can always open up the sorting menu, move items and save.
Tested with a user that was in a group with the following roles:
- cms.cm.app
- system.admin.login
The content node tree of our project itself has one main site node, which contains several nested site nodes.
The group to which the user was added had full-access to one specific subsite in the content, but none of the other sites, where it only had “Can read”.