LPS-87393 changes the way permissions are checked on DLFileEntry created in a folder with a Workflow enabled.
Liferay permission mechanisms are "inclusive only"; thats means you cannot deny but only allow someone (a role) to do something.
On Liferay 7.2 the permission chain on a resource is configured using an OSGi component: for example DLFileEntryModelResourcePermissionRegistrar for DLFIleEntry.
Every Registrar define (register) one or many check logics and the rule is:
- if the logic detects actionId is allowed, it could stop the checks and return true
- if the login is not applicable in the context or is not configured to grant the authorization, it return null to pass the ball to next logic.
LPS-87393 doesn't honor this approach for DLFileEntry created inside a workflow.
Inside the private class "DLFileEntryWorkflowedModelResourcePermissionLogic" we have this check
that breaks the chain if the Owner role doesn't grant the VIEW permission.
Seems this code assumes Owner permissions could not be revoked. But Owner permission grants are not static. They could be revoked. We have different implementations where Owner permissions are cleared because too permissive.
For example you could have a site with confidential documents. When a user, a site member, upload a document he becomes the owner. If that user is removed from the site he will continue to see the document because he was the uploader. And he is able to see all future versions of the file.
To avoid a security problem we revoke Owner permissions on files. There are other Site Roles granting needed permissions.
The problem with LPS-87393 is this:
- create a site with a page with DML Widget
- create a Folder and activate a Workflow on it (Simple Approver)
- create a user and make it site member
- as normal user upload a file inside the folder and submit for publication. The use will see the document in pending state
- as administrator use Permissions action to revoke VIEW permission for Owner on the pending file
- as normal user refresh the page. DML breaks