Summary
An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section.
Details
Root-cause analysis
- actionMoveToSection accepts sectionId and entryIds, loads entries, and iterates:
Craft::$app->getEntries()->moveEntryToSection($entry, $section).
- The endpoint does not enforce per-entry or per-section authorization checks.
moveEntryToSection() also does not enforce current-user authorization.- There is a permission check in
actionMoveToSectionModalData for building UI options, but that check is not enforced in the actual endpoint.
- Therefore, a direct POST request can bypass UI filtering and perform unauthorized entry moves.
Impact
- This is an authorization bypass permitting unauthorized content changes.
- Authenticated low-privileged control panel users can move entries they should not be able to manage, violating integrity and potentially disrupting routing/editorial controls.
References
3c1ab1c4445
Summary
An authenticated control panel user with only accessCp can move entries across sections via POST
/actions/entries/move-to-section, even when they do not havesaveEntries:{sectionUid}permission for either source or destination section.Details
Root-cause analysis
Craft::$app->getEntries()->moveEntryToSection($entry, $section).moveEntryToSection()also does not enforce current-user authorization.actionMoveToSectionModalDatafor building UI options, but that check is not enforced in the actual endpoint.Impact
References
3c1ab1c4445