Journal - Edit article : a user with "Add article" permission cannot update his articles after save

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.1.2
Fix Version/s: 5.2.0
Component/s: None
Labels:
None
Environment:
Liferay 5.1.2 Tomcat 5.5 Windows.

Similar Issues:

Show 5 results

Description

A user has "Add article" permission. (not approve permission)
The user can add an article and save it.
After 1st "save" or "save and continue", the user cannot update his article. He should be able to do that.
Update permission cannot be set at the same level as we set the "add article" permission, which result in inconsistency, and make journal unusable.

Here is my proposed fix, which is "quick&dirty", i.e. I do not know if it should be applied on other pages/portlets. I think there is no or very limited impact (regression tests).

File: "edit_article.jsp" in "./html/portlet/journal"

<%
boolean hasSavePermission = false;

if (article != null)

{ hasSavePermission = JournalArticlePermission.contains(permissionChecker, groupId, articleId, ActionKeys.UPDATE) || article.getUserId() == permissionChecker.getUserId(); }

else

{ hasSavePermission = PortletPermissionUtil.contains(permissionChecker, plid, PortletKeys.JOURNAL, ActionKeys.ADD_ARTICLE); }

I added a condition to test the article ownership.
Hope this helps.

Regards
Hervé

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Hervé Ménage added a comment - 20/Nov/08 2:50 AM

See the forum thread:
http://www.liferay.com/web/guest/community/forums/-/message_boards/message/1613526

Show

Hervé Ménage added a comment - 20/Nov/08 2:50 AM See the forum thread: http://www.liferay.com/web/guest/community/forums/-/message_boards/message/1613526

Hide

Permalink

Hervé Ménage added a comment - 20/Nov/08 6:12 AM

Hi,

Sorry, this "fix" is not working at all actually...
However, looking at the source, it looks like there is a bug in the permissionchecker : the user should have owner permissions on the article, should not he? Thus he should be able to update his article.

The only workaround I found by using the permissions, is to set the Journal portlet "Update" permission to the community role. But the user can update all the articles, even when he is not the owner. Thus we cannot set permission for individual articles.

Hervé

Show

Hervé Ménage added a comment - 20/Nov/08 6:12 AM Hi, Sorry, this "fix" is not working at all actually... However, looking at the source, it looks like there is a bug in the permissionchecker : the user should have owner permissions on the article, should not he? Thus he should be able to update his article. The only workaround I found by using the permissions, is to set the Journal portlet "Update" permission to the community role. But the user can update all the articles, even when he is not the owner. Thus we cannot set permission for individual articles. Hervé

Hide

Permalink

Amos Fong added a comment - 09/Dec/08 11:34 AM - Restricted to

Fixed the root cause in journalarticlepermission.java.

Rev. 23585

Show

Amos Fong added a comment - 09/Dec/08 11:34 AM - Restricted to Fixed the root cause in journalarticlepermission.java. Rev. 23585

Hide

Permalink

Chris Whittle added a comment - 09/Feb/09 12:17 PM

Amos can you elaborate on your fix? I'd like to replicate it in 5.1.2

Show

Chris Whittle added a comment - 09/Feb/09 12:17 PM Amos can you elaborate on your fix? I'd like to replicate it in 5.1.2

Hide

Permalink

Amos Fong added a comment - 09/Feb/09 1:03 PM - Restricted to

JournalArticlePermission.java

_> 74 74
75 75 if (permissionChecker.hasOwnerPermission(
76 76 article.getCompanyId(), JournalArticle.class.getName(),
<> 77 - article.getPrimaryKey(), article.getUserId(), actionId)) {
77 + article.getResourcePrimKey(), article.getUserId(), actionId))

{ <_ 78 78 79 79 return true; 80 80 }

You should be able to see the diffs in fisheye

Show

Amos Fong added a comment - 09/Feb/09 1:03 PM - Restricted to JournalArticlePermission.java _> 74 74 75 75 if (permissionChecker.hasOwnerPermission( 76 76 article.getCompanyId(), JournalArticle.class.getName(), <> 77 - article.getPrimaryKey(), article.getUserId(), actionId)) { 77 + article.getResourcePrimKey(), article.getUserId(), actionId)) { <_ 78 78 79 79 return true; 80 80 } You should be able to see the diffs in fisheye

Hide

Permalink

Chris Whittle added a comment - 09/Feb/09 1:28 PM

thanks Amos worked like a charm!

Show

Chris Whittle added a comment - 09/Feb/09 1:28 PM thanks Amos worked like a charm!

Hide

Permalink

Chris Whittle added a comment - 10/Feb/09 7:52 AM

Amos, Is there a fix on users not able to change the permissions on Journals they own? I'm not sure this is related or if I need to open another problem record? If a non-admin user tries to change the permissions on their content it gives them "You do not have the required permissions. "

Show

Chris Whittle added a comment - 10/Feb/09 7:52 AM Amos, Is there a fix on users not able to change the permissions on Journals they own? I'm not sure this is related or if I need to open another problem record? If a non-admin user tries to change the permissions on their content it gives them "You do not have the required permissions. "

Hide

Permalink

Amos Fong added a comment - 10/Feb/09 9:26 AM

Hm...~~LPS-1543~~ was done to fix it, but it may be incomplete?

Show

Amos Fong added a comment - 10/Feb/09 9:26 AM Hm... LPS-1543 was done to fix it, but it may be incomplete?

Hide

Permalink

Amos Fong added a comment - 10/Feb/09 9:31 AM

Yea so it looks like it only fixes the top level entities like folders and not the actual entries...I suppose as a patch you can just add more if statements for everything

Show

Amos Fong added a comment - 10/Feb/09 9:31 AM Yea so it looks like it only fixes the top level entities like folders and not the actual entries...I suppose as a patch you can just add more if statements for everything

Hide

Permalink

Chris Whittle added a comment - 10/Feb/09 1:50 PM

I'm looking at 5.12 (possibly 5.13) so the fix looks to be for 5.2 do you know if it was backported to 5.1.3?

Show

Chris Whittle added a comment - 10/Feb/09 1:50 PM I'm looking at 5.12 (possibly 5.13) so the fix looks to be for 5.2 do you know if it was backported to 5.1.3?

Hide

Permalink

Amos Fong added a comment - 10/Feb/09 1:55 PM

Doesn't look like it. You can tell by looking in Fisheye, it will show 5.1.x if it was backported.

Show

Amos Fong added a comment - 10/Feb/09 1:55 PM Doesn't look like it. You can tell by looking in Fisheye, it will show 5.1.x if it was backported.

People

Assignee:

Amos Fong

Reporter:

Hervé Ménage

Participants of an Issue:

Amos Fong, Chris Whittle, Hervé Ménage

Vote (0)

Watch (1)

Dates

Created:

20/Nov/08 2:49 AM

Updated:

10/Feb/09 1:55 PM

Resolved:

09/Dec/08 11:34 AM

Days since last comment:

4 years, 15 weeks, 1 day ago

Agile

View on Board

~~LPS-1062~~	Content in Journal Article Being Deleted after saving
~~LPS-24697~~	Comment Permissions - a user cannot edit / delete his own comments and cannot edit / delete the comments of other users if given the permission to do so
~~LPS-1443~~	The Journal Articles are not displaying in 'Journal Articles', 'Journal Content', and 'Asset Publisher'.
~~LPS-17005~~	Error with updating Journal Article in case Language was changed
~~LPS-10444~~	Edit Web Content Article