Private announcements can be viewed through announcement edit

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 6.1.1 CE GA2, 6.1.20 EE GA2
Fix Version/s: 6.0.X EE, 6.1.X EE, --Sprint 11/12, 6.2.0 CE M2
Component/s: Collaboration, Collaboration > Announcements
Labels:
- QA-R
- QA-TP

Branch Version/s:

6.1.x, 6.0.x
Backported to Branch:

Committed

Similar Issues:

Show 4 results

Description

1. Create two Groups/Sites (Group A and Group B). Group B is private and has a private page
2. Create an announcment in private Group B.
3. Create an announcment in Group A
4. Create a User who is member of Group A and able to edit announcments. This user is no member of the private Group B.
5. Open the announcment from Group A with "Edit". In the URL you are able to edit the parameter "entryId" to the ID of the announcement from Group B.
You will get this announcmanet from Group B although you are not a member of Group B and you don't have any access rights.
Here is a short URL example:
?p_p_id=84&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=1&_84_struts_action=%2Fannouncements%2Fedit_entry&_84_redirect=http%3A%2F%2Flocalhost%3A8080%2Fgroup%2Fjedermannsgruppe%2Fhome%3Fp_p_id%3D84%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn-1%26p_p_col_count%3D1&_84_entryId=10612

Issue occurs on Trunk 42351a8 [ahead 3947] too.

Please see also:
http://issues.liferay.com/browse/LPS-5452?focusedCommentId=212479&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-212479

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Michael Saechang added a comment - 14/Aug/12 10:55 AM

Committed on:
Portal 6.2.x GIT ID: acd0249a9a48d59e393358254ddecf73bfff9f7e.

Show

Michael Saechang added a comment - 14/Aug/12 10:55 AM Committed on: Portal 6.2.x GIT ID: acd0249a9a48d59e393358254ddecf73bfff9f7e.

Hide

Permalink

Pani Gui added a comment - 14/Aug/12 8:08 PM - edited

PASSED Manual Testing following the steps in the description.

Reproduced on:
Tomcat 7.0 + MySQL 5. 6.1.20 EE GA2.

User who has a edit permission for Announcement can view private announcements through announcement edit.

Fixed on:
Tomcat 6.0 + MySQL 5. Portal 6.0.x GIT ID: 9f20ddaf87d6eaca624c11cd5ac42e54fc31c2f4.
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 44f06686b220c5b7052042e7aeff24a9ac371985.
Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 18a8e1827c736dbcec81a6c26ec44c061ab80fe0.

User can not view private announcements. Showing the required message on the portlet.

Show

Pani Gui added a comment - 14/Aug/12 8:08 PM - edited PASSED Manual Testing following the steps in the description. Reproduced on: Tomcat 7.0 + MySQL 5. 6.1.20 EE GA2. User who has a edit permission for Announcement can view private announcements through announcement edit. Fixed on: Tomcat 6.0 + MySQL 5. Portal 6.0.x GIT ID: 9f20ddaf87d6eaca624c11cd5ac42e54fc31c2f4. Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 44f06686b220c5b7052042e7aeff24a9ac371985. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 18a8e1827c736dbcec81a6c26ec44c061ab80fe0. User can not view private announcements. Showing the required message on the portlet.

People

Assignee:

Pani Gui

Reporter:

Norbert Kocsis

Participants of an Issue:

Michael Saechang, Norbert Kocsis, Pani Gui

Vote (0)

Watch (0)

Dates

Created:

09/Aug/12 8:05 AM

Updated:

19/Mar/13 2:01 PM

Resolved:

31/Aug/12 3:24 AM

Days since last comment:

40 weeks, 4 days ago

Agile

View on Board

~~LPS-2484~~	Announcements can not be 'Marked As Read'
~~LPS-33566~~	Can not send announcements to an Organization Site
LPS-32258	Show author of an announcement
~~LPS-26221~~	Alarms/Announcements are not sent if display date is in the past