PUBLIC - Liferay Portal Community Edition

Dynamic Data List Permissioning not working correctly

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 6.1.0 CE RC1, 6.2.X
  • Fix Version/s: 6.1.10 EE GA1, 6.1.1 CE GA2, 6.2.X
  • Component/s: Dynamic Data Lists
  • Labels:
  • Environment:
    Tomcat 7.0 + MySQL 5. 6.1.x Revision: 96407.
    Tomcat 7.0 + MySQL 5. 6.2.x Revision: 96407.
  • Branch Version/s:
    6.1.x
  • Backported to Branch:
    Committed
  • Similar Issues:
    Show 4 results 
  • Epic/Theme:
  • Business Value:
    4

Description

I created a Role and assigned a user to it.

If I grant no permissions to the role regarding dynamic data lists then impersonating the user it appears that I can still view the dynamic datalist. This is not correct.

Also then if I assign all permissions to dynamic data list through the role then impersonating the user, only the Add Record button appears. No Edit etc...

Finally if I revoke update privileges to owner of the dynamic data list the owner can still update a record in the datalist

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Garry X added a comment -

Actually what I found is that if I grant "Update" on the dynamic data list to the role then the "Edit/Delete" action menu shows up.

But I'd have expected that the menu would show up if you have "Edit" or "Delete" privileges but only the actions you can do show up in the menu. i.e: If you have "Update" then "Edit" Will show up and if you have "Delete" then "Delete" will show up"

Show
Garry X added a comment - Actually what I found is that if I grant "Update" on the dynamic data list to the role then the "Edit/Delete" action menu shows up. But I'd have expected that the menu would show up if you have "Edit" or "Delete" privileges but only the actions you can do show up in the menu. i.e: If you have "Update" then "Edit" Will show up and if you have "Delete" then "Delete" will show up"
Hide
Permalink
Luyang Tan added a comment -

Hi Garry,
Thanks for the report. You said finally if you revoke update privileges to owner of the dynamic data list, the owner can still update a record in the datalist, but I can not reproduce this bug on trunk revision (96407), I can reproduce the other two errors. I will update this ticket to reflect the errors.

Show
Luyang Tan added a comment - Hi Garry, Thanks for the report. You said finally if you revoke update privileges to owner of the dynamic data list, the owner can still update a record in the datalist, but I can not reproduce this bug on trunk revision (96407), I can reproduce the other two errors. I will update this ticket to reflect the errors.
Hide
Permalink
Marcellus Tavares added a comment -

Hey guys, an update on this: Any record inherits the permission from it parent (List). So, if the user has DELETE permission on an given list it will also have permission to DELETE the list records. This is also applied to VIEW and UPDATE permission.

Show
Marcellus Tavares added a comment - Hey guys, an update on this: Any record inherits the permission from it parent (List). So, if the user has DELETE permission on an given list it will also have permission to DELETE the list records. This is also applied to VIEW and UPDATE permission.
Hide
Permalink
Michael Saechang added a comment -

Committed on:
6.1.x GIT ID: 0766ffd8a3eebe944c37aa0f82d801ca57634dc2.
6.2.x GIT ID: 5b5e826f89158db6130d80af7f4ab95b4f57288a.

Show
Michael Saechang added a comment - Committed on: 6.1.x GIT ID: 0766ffd8a3eebe944c37aa0f82d801ca57634dc2. 6.2.x GIT ID: 5b5e826f89158db6130d80af7f4ab95b4f57288a.
Hide
Permalink
Luyang Tan added a comment -

There are total two bugs in this ticket, one has fixed, but I can still reproduce the other one.
The fix one.
PASSED Manual Testing using the following steps:

1. Create a Role and assign a user to it.
2. Assign all permissions to dynamic data lists through the role then impersonating the user.
3. Remove the delete permission and view permission.

Reproduced on:
Tomcat 7.0 + MySQL 5. 6.2.x Git ID: 7a6ec7ac3df4baf72aa7d95fbf4c6c0416663d25.

When delete these two permissions, I can still delete and view the datalist.

Fixed on:
Tomcat 7.0 + MySQL 5. 6.1.x Git ID: 7e26a2966230f4b8579997cb89ce6aa9a25cbbef.
Tomcat 7.0 + MySQL 5. 6.2.x Git ID: 20dbb65c18e6b2c50bbd6986c8b3b7078f84e63b.

When delete these two permissions, I can only edit the datalist.

The fail one.
FAILED Manual Testing using the following steps:

1. Create a Role and assign a user to it.
2. Add dynamic data list display portlet to a page.
3. Grant no permissions to the role regarding dynamic data lists then impersonating the user.

Reproduced on:
Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: 7a6ec7ac3df4baf72aa7d95fbf4c6c0416663d25.

It appears that the user can still view the dynamic data list display portlet.

Failed on:
Tomcat 7.0 + MySQL 5. 6.1.x GIT ID: 7e26a2966230f4b8579997cb89ce6aa9a25cbbef.
Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: 20dbb65c18e6b2c50bbd6986c8b3b7078f84e63b.

In fix version, the user can still view the dynamic data list display portlet
(the user shouldn't see the portlet the same as guest user).

Show
Luyang Tan added a comment - There are total two bugs in this ticket, one has fixed, but I can still reproduce the other one. The fix one. PASSED Manual Testing using the following steps: 1. Create a Role and assign a user to it. 2. Assign all permissions to dynamic data lists through the role then impersonating the user. 3. Remove the delete permission and view permission. Reproduced on: Tomcat 7.0 + MySQL 5. 6.2.x Git ID: 7a6ec7ac3df4baf72aa7d95fbf4c6c0416663d25. When delete these two permissions, I can still delete and view the datalist. Fixed on: Tomcat 7.0 + MySQL 5. 6.1.x Git ID: 7e26a2966230f4b8579997cb89ce6aa9a25cbbef. Tomcat 7.0 + MySQL 5. 6.2.x Git ID: 20dbb65c18e6b2c50bbd6986c8b3b7078f84e63b. When delete these two permissions, I can only edit the datalist. The fail one. FAILED Manual Testing using the following steps: 1. Create a Role and assign a user to it. 2. Add dynamic data list display portlet to a page. 3. Grant no permissions to the role regarding dynamic data lists then impersonating the user. Reproduced on: Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: 7a6ec7ac3df4baf72aa7d95fbf4c6c0416663d25. It appears that the user can still view the dynamic data list display portlet. Failed on: Tomcat 7.0 + MySQL 5. 6.1.x GIT ID: 7e26a2966230f4b8579997cb89ce6aa9a25cbbef. Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: 20dbb65c18e6b2c50bbd6986c8b3b7078f84e63b. In fix version, the user can still view the dynamic data list display portlet (the user shouldn't see the portlet the same as guest user).
Hide
Permalink
Marcellus Tavares added a comment -

Hi Luyang, by default we set VIEW permission to guest users and site members but you could change that on the permission tab of the Dynamic Data Lists Display portlet.

Let me know if this help.

Show
Marcellus Tavares added a comment - Hi Luyang, by default we set VIEW permission to guest users and site members but you could change that on the permission tab of the Dynamic Data Lists Display portlet. Let me know if this help.
Hide
Permalink
Luyang Tan added a comment - - edited

PASSED Manual Testing following the steps in my comment.

Fixed on:
Tomcat 7.0 + MySQL 5. 6.1.x GIT ID: 7ca618e28e1b85ffe92bf401a3e18f9c068dabe3.
Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: c53464a46eea5079ce5d4399ac4d981a3474a9dc.

The user is no longer can see the dynamic data list display portlet.

Show
Luyang Tan added a comment - - edited PASSED Manual Testing following the steps in my comment. Fixed on: Tomcat 7.0 + MySQL 5. 6.1.x GIT ID: 7ca618e28e1b85ffe92bf401a3e18f9c068dabe3. Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: c53464a46eea5079ce5d4399ac4d981a3474a9dc. The user is no longer can see the dynamic data list display portlet.
Hide
Permalink
Cynthia Wilburn added a comment -

Reopening to add 6.1.1 CE GA2. Close as Fixed.

Show
Cynthia Wilburn added a comment - Reopening to add 6.1.1 CE GA2. Close as Fixed.

People

Vote (1)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.4#664-r167664) | Report a problem
Powered by a free Atlassian JIRA open source license for Liferay. Try JIRA - bug tracking software for your team.