Require MODIFY permission to access content version history

[Copilot]

Content version history was accessible to any user with READ permission. This allows users to view historical versions of content they cannot modify, which may expose sensitive information or workflow states.

Changes

• FindContentVersionsCommand: Added permission check before retrieving version history

  • Validates user has MODIFY permission on the content node
  • Admin users bypass the check
  • Throws ContentAccessException when permission is denied

• Tests: Added coverage for permission enforcement

  • Verify users without MODIFY permission are denied access
  • Verify users with MODIFY permission can retrieve version history

Implementation

private void checkModifyPermission( final Node node )
{
    final AuthenticationInfo authInfo = ContextAccessor.current().getAuthInfo();
    
    if ( authInfo.hasRole( RoleKeys.ADMIN ) )
    {
        return;
    }
    
    final boolean hasModifyPermission = node.getPermissions()
        .isAllowedFor( authInfo.getPrincipals(), Permission.MODIFY );
    
    if ( !hasModifyPermission )
    {
        throw new ContentAccessException( null, authInfo.getUser(), 
            ContentNodeHelper.translateNodePathToContentPath( node.path() ), 
            Permission.MODIFY );
    }
}

Permission check occurs on the current draft branch version before querying version history.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• scans-in.gradle.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Node.MODIFY permission to see content version history</issue_title>
<issue_description>only users with Node.MODFY permission (current version on draft branch) should have access to Content Version history of a specific Content</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Node.MODIFY permission to see content version history #11637

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.