Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-147127

It is possible to update its own object entry with the Update Owner permission removed

Details

    Description

      Summary:
      It is possible to update its own object entry with the Update Owner permission removed

      Steps to Reproduce:

      1. Create an object with a field
      2. Publish it
      3. Go to Control Panel > Roles > Create a role
      4. Click on Define Permissions > Search for the created object
      5. Give the Access in Control Panel and Add Object Entry permissions
      6. Go to Control Panel > Users and Organizations
      7. Create a user and assign the created role to the user
      8. Log in with the user
      9. Add an entry on the object
      10. Log in with Test Test
      11. Remove the Access in Control Panel and Add Object Entry permissions from the created role
      12. Go to the Object portlet
      13. Click on the kebab menu from the entry > Permissions
      14. Remove the Update Owner permission
      15. Save it
      16. Log in with the user
      17. Go to the object portlet

      Expected Result:
      User cannot update the entry

      Actual Result:
      User can update the entry

      Verified on master: 9343a25f6b971908978fa61c87bdd11468aa9d22

      Attachments

        Issue Links

          Activity

            People

              evanilson.santana Evanilson Santana
              rodrigo.cunha Rodrigo Cunha (Inactive)
              Kiyoshi Lee Kiyoshi Lee
              Gabriel Albuquerque Gabriel Albuquerque
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                33 weeks, 2 days ago

                Packages

                  Version Package
                  7.4.3.13 CE GA13
                  Master