diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f66524eaf..efbb26c0ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ ### Fixes +* The `@apostrophecms/page` module APIs no longer allow a page to become a child of itself. Thanks to [Maarten Marx](https://github.com/Pixelguymm) for reporting the issue. * Uploaded SVGs now permit `` tags granted their `xlink:href` property is a local reference and begins with the `#` character. This improves SVG support while mitgating XSS vulnerabilities. * Default properties of object fields present in a widget now populate correctly even if never focused in the editor. diff --git a/modules/@apostrophecms/page/index.js b/modules/@apostrophecms/page/index.js index c26eb59f5a..19120e658c 100644 --- a/modules/@apostrophecms/page/index.js +++ b/modules/@apostrophecms/page/index.js @@ -1458,6 +1458,10 @@ database.`); const manager = self.apos.doc.getManager(moved.type); await manager.emit('beforeMove', req, moved, target, position); determineRankAndNewParent(); + // Simple check to see if we are moving the page beneath itself + if (parent.path.split('/').includes(moved.aposDocId)) { + throw self.apos.error('forbidden', 'Cannot move a page under itself'); + } if (!moved._edit) { throw self.apos.error('forbidden'); } diff --git a/test/pages.js b/test/pages.js index 8f66474e5b..4d2a7147b5 100644 --- a/test/pages.js +++ b/test/pages.js @@ -421,6 +421,16 @@ describe('Pages', function() { assert.strictEqual(page.rank, 1); }); + it('is not able to move a page under itself', async function() { + await assert.rejects( + apos.page.move(apos.task.getReq(), 'cousin:en:published', 'cousin:en:published', 'lastChild'), + { + name: 'forbidden', + message: 'Cannot move a page under itself' + } + ); + }); + it('is able to move root/cousin before root/parent/child', async function() { // 'Cousin' _id === 4312 // 'Child' _id === 2341