Insufficient permission checking on views without a policy function defined

Insufficient permission checking was done on module views that do not have a policy function defined. This could cause problems in modules where views with a policy function were mixed with views without a policy function. This flaw made the discount functionality in the shop module vulnerable. Sites where users have explicit permission to policies in the setup module could also be vulnerable.
All users using the discount functionality in the shop module or that have defined roles with explicit policies in the setup module are encourage to upgrade to the corresponding release. Also, users with sites containing views with and without policy functions in the same custom module are encouraged to upgrade to the corresponding release or to update their custom code so that every view has a policy function defined. Information on how to define policy functions in views in custom code is described here.

See the changelogs for a complete list of fixed bugs:

eZ Publish 3.9.3 changelog

eZ Publish 3.8.9 changelog

The releases are available for download from our eZ Publish download page.