RelationField: anonymous user can view private items

I have reported what I think could be an issue in relation fields.
TLDR: custom content-type with a relation field -> set a private element as the related element -> set the custom object as public -> you can access (maybe only read?) the private element from the public element as anonymous.

Thoughts? Is this behavior needed somewhere or is it actually an issue?


It is possible to expose URLs or paths to private objects however you should not be able an object if you don't have View rights on it. So if you create a link to a private content object then you have possible information for the outside world that should not be their but you would not be able to access it.

Do you mean 'read the fields of the content' or do you mean 'indexes of the content' ?

I am quite sure it is like this.
to_object is stored in you (readable) content
The indexes for that object can be shown

In other words: in your related widget (or view), you can do this:

  <tal:repeat tal:repeat="item context/relatedItems">

But you can not show for example the body text.

There is no 'permissions' on the catalog indexes (I think)

Actually, to_object gets the real object (no catalog search involved) and gets it through an unrestrictedTraverse. Details about how it gets to the unrestrictedTraverse are in the linked github issue.
After retrieving the object I was able to read its fields as a user with no View permission on it.

On a side note: the related items viewlet gets the paths of the items from to_path, then queries the catalog, therefore user permissions are checked in that step. See:

Plone Foundation Code of Conduct