Description
Summary
In line 2302 in the modx.class.php $this->context->checkPolicy('load') is called, but from what I see it's completly useless at that point, since the user/session has not yet been initialized (compare the order in $modx->initialize() around line 530)
So the effect is that a context without the load policy for unauthorized users is still accessible for unauthenticated users.
Step to reproduce
Remove the load policy from the web context. View a resource from the web context with a fresh browser session (e.g. your browsers icognito modus).
Observed behavior
The context / resource is accessible for any users, even if they don't have the permission to access the context.
Expected behavior
It should not be accessible and the modx unauthorized_page should be shown.
Environment
MODX 2.4.2-pl advanced
Possible Solution
…not 100% sure, but the load policy needs to be checked after the session has been initialized. I'm using this as a temporaily workaround (placed after $modx->initialize('web')):
if (!$modx->context->checkPolicy('load')) {
$modx->sendUnauthorizedPage();
return;
}
Notes
This does not affect $modx->switchContext(), because the session has been initialized before that function is ever triggered. It only affects the first call to $modx->initialize('any-context').