The ACSD-53414 patch fixes the issue where a restricted admin user can see CMS pages outside their permissions scope. This patch is available when the Quality Patches Tool (QPT) 1.1.40 is installed. The patch ID is ACSD-53414. Please note that the issue is scheduled to be fixed in Adobe Commerce 2.4.7.
The patch is created for Adobe Commerce version:
Compatible with Adobe Commerce versions:
The patch might become applicable to other versions with new Quality Patches Tool releases. To check if the patch is compatible with your Adobe Commerce version, update the
magento/quality-patches package to the latest version and check the compatibility on the Quality Patches Tool: Search for patches page. Use the patch ID as a search keyword to locate the patch.
Restricted admin users can see CMS pages beyond their permissions scope.
Steps to reproduce:
Create a new website (sub_website), store (sub_store), and storeview (sub_storeview).
Create a sub_expert role, allowing the scope of sub_website and sub_store. Assign the following permissions only: Dashboard and Pages.
Create a new admin user and assign it to the sub_expert role.
Assign the following CSM pages to sub_storeview and default storeview.
Sign in to the Admin using the admin user created in Step 3.
Check the CMS page grid.
503 Service Unavailable page is not visible to the web admin.
503 Service Unavailable is visible to the web admin.
To apply individual patches, use the following links depending on your deployment method:
To learn more about Quality Patches Tool, refer to:
For info about other patches available in QPT, refer to Quality Patches Tool: Search for patches in the Quality Patches Tool guide.