apostrophecms · boutell · Sep 20, 2024 · Sep 12, 2024 · Sep 20, 2024 · boutell
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@
 
 ### Fixes
 
+* The `@apostrophecms/page` module APIs no longer allow a page to become a child of itself. Thanks to [Maarten Marx](https://github.com/Pixelguymm) for reporting the issue.
 * Uploaded SVGs now permit `<use>` tags granted their `xlink:href` property is a local reference and begins with the `#` character. This improves SVG support while mitgating XSS vulnerabilities.
 * Default properties of object fields present in a widget now populate correctly even if never focused in the editor.
 

diff --git a/modules/@apostrophecms/page/index.js b/modules/@apostrophecms/page/index.js
@@ -1458,6 +1458,10 @@ database.`);
           const manager = self.apos.doc.getManager(moved.type);
           await manager.emit('beforeMove', req, moved, target, position);
           determineRankAndNewParent();
+          // Simple check to see if we are moving the page beneath itself
+          if (parent.path.split('/').includes(moved.aposDocId)) {
+            throw self.apos.error('forbidden', 'Cannot move a page under itself');
+          }
           if (!moved._edit) {
             throw self.apos.error('forbidden');
           }

diff --git a/test/pages.js b/test/pages.js
@@ -421,6 +421,16 @@ describe('Pages', function() {
     assert.strictEqual(page.rank, 1);
   });
 
+  it('is not able to move a page under itself', async function() {
+    await assert.rejects(
+      apos.page.move(apos.task.getReq(), 'cousin:en:published', 'cousin:en:published', 'lastChild'),
+      {
+        name: 'forbidden',
+        message: 'Cannot move a page under itself'
+      }
+    );
+  });
+
   it('is able to move root/cousin before root/parent/child', async function() {
     // 'Cousin' _id === 4312
     // 'Child' _id === 2341