New permission model for Versioned DataObjects
When adding the
Versioned extension to dataobjects, typically it's necessary to explicitly declare
permissions on these objects in order to prevent un-published content surfacing to unauthenticated users.
In order to better support this, versioned by default will now deny canView permissions on objects that are not published.
For more information on how to customise the permission model for versioned dataobjects then please refer to the versioned extension documentation.
Block ?stage=Stage for unauthenticated users
By default users must now be logged in with CMS access permissions in order to change the viewing
mode of the site frontend using the
?stage querystring parameter.
This permission can be customised by altering the
config by assigning a different set of permissions.