I have a website created with Sulu CMF. In the webspace settings, security is enabled.
<security permission-check="true">
<system>my_site</system>
</security>
User Context Caching is implemented, as described here: https://docs.sulu.io/en/2.5/cookbook/user-context-caching.html
In the Permissions tab of a page in the Sulu backend, I activated permissions for my_site and removed all permissions from that page.
In consequence the page is not displayed in the websites menu, which is fine. But when the page is browsed directly using the respective URL, it is loaded without problems. I would have expected to get a PERMISSION DENIED from the server.
What needs to be done in Sulu, to lock out users from specific pages, when they lack permissions for that page?
This currently is a regression in Symfony Http Security which will be fixed in next release of Sulu until you need to downgrade Symfony http security via: