Mailings are public even when set to "User and User Admin only"
This is a Incident, because confidential internal information is easily accessible by calling https://www.example.com/civicrm/mailing/view/?id=3&reset=1 with random mailing ids.
Environment:
- Wordpress 5.6.2, 5.7
- CiviCRM 5.35.0, 5.35.1
- CiviMail Classic, CiviMail Mosaico
Precondition:
- A Mailing with id 3 is setup with Mailing Visibility set to "User and User Admin Only"
Action:
- Open a private browser tab without being logged in
- Call URL: https://www.example.com/civicrm/mailing/view/?id=3&reset=1
Expected behavior:
- The mailing is not accessible.
Actual behavior:
- The mailing is accessible.