Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-159330

The custom Objects are displayed in the content display fragment although the user doesn't have permission to view it

Details

    Description

      Step to reproduce:

      1. Add a company scope object
        1. Call it "Employee"
        2. Add a text field named "Name"
        3. Panel Category Key: Control Panel -> Users
        4. Publish it
      2. Add an Employee item
        1. Go to Control Panel -> Users
        2. Add an item filling "Name" field with your name
        3. Checkpoint: check the created item permissions and assert that the Guest role doesn't have any permissions over the item
      3. Go to the Liferay site and edit the Home page and add a Content Display fragment
      4. Map the created Employee to the fragment
      5. Publish the content page
      6. Open an incognito window and go to the Home Page (don't log in!)

       Expected Results:
      The fragment shows the text: "You do not have permission to access the requested resource."

       Actual Results:
      The fragment displays the Employee's name

      Attachments

        Issue Links

          Activity

            People

              andre.farias André Farias
              lourdes.fernandez Lourdes Fernandez Besada
              Kiyoshi Lee Kiyoshi Lee
              Lourdes Fernandez Besada Lourdes Fernandez Besada
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                8 weeks, 5 days ago

                Packages

                  Version Package
                  7.4.3.38 CE GA38
                  Master