-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: Master
-
Fix Version/s: Master
-
Component/s: Forms, Security Vulnerability
-
Labels:None
-
Fix Priority:4
-
Sprint:Forms_7.4_07
-
Git Pull Request:
Steps to reproduce
- Go to Control Panel -> Users and Organizations -> Add User
- Create a new user and save;
- Still on the edit page of the created user:
- Go to Memberships -> Sites -> Select the option Liferay -> Save;
- Go to Password and create a new password -> Save;
- Go to Control Panel -> Instance Settings -> User Authentication
- Disable the option "Require strangers to verify their email address?"
- Go to Content & Data > Forms -> Add a new Form
- Add an Upload Field
- Enable the option "Allow Guest Users to Send Files"
- Publish the Form and copy the public URL created
- Log out and go to the public URL
- Upload a file as a guest user
- Submit the Form
- Log in with the new User created previously
- Go to the public URL
- Click on the Select button of the Upload Field
- Go to the Documents and Media tab
- Navigate into the Forms folder
- Path: com.liferay.dynamic.data.mapping.form.web -> Forms
Actual result
The authenticated user is able to view the documents uploaded by guest users in the Forms folder.
Expected result
There's no Documents and Media tab that the user can navigate
Obs.: We must test with a user other than Test because, as an admin, he is allowed to see all folders.
- is caused by
-
LPS-125994 The User Personal Folder tab is missing in Upload field
- Closed
- is related to
-
LPS-125456 Not authorized users can still see documents uploaded by other users
- Closed