From 36bb1f6dc74bcd8d81e0f0471897d109e0bd5282 Mon Sep 17 00:00:00 2001
From: "https://social.mayfirst.org/mjray" <mjray@web>
Date: Mon, 5 Feb 2018 06:51:48 -0400
Subject: [PATCH] Try to explain editor loophole to viewing restrictions

---
 doc/todo/Restrict_page_viewing.mdwn | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/todo/Restrict_page_viewing.mdwn b/doc/todo/Restrict_page_viewing.mdwn
index 20b59cb13..d40cee6d1 100644
--- a/doc/todo/Restrict_page_viewing.mdwn
+++ b/doc/todo/Restrict_page_viewing.mdwn
@@ -40,3 +40,7 @@ much more maintainable htaccess file.
 
 >>>>> If you use the httpauth and the cgiauthurl method, you can restrict a path 
 >>>>> like /private/* to be accessible only under the authenticated request uri.
+
+>>>>>> Note that if editing is enabled, then you should set the restriction in locked_pages too
+>>>>>> or they may be able to view pages by editing the page= value in the editor's
+>>>>>> query string. --[mjr](http://mjr.towers.org.uk/)
-- 
2.39.2