Skip to content

Wrong access control on ElementType APIs

  • CreateElementType can be used by anyone with a Contributor access to the corpus
  • UpdateElementType and PartialUpdateElementType can be used by anyone with a Guest access to the corpus

I found this bug by testing something in the frontend, because the frontend has incorrect permission checks on the element type component.