Details

    • Fix Priority:
      4

      Description

      This problem occurs when the user has permission to view the content related to the activity but he does not have permission to access the "container" of that content. For example if the user has permission to view a wiki page, he will see activities related to it even if he doesn't have permission to view the node. The solution is for the permission system to check the view permission of the "container" dinamically.

      How to reproduce :
      1. Create 2 (regular) roles : "Big" and "Little"
      2. Create one user ("BigUser") with "Big" role and another ("LittleUser") with "Little" role
      3. Create a regular Organization named "Org" and add "BigUser" and "LittleUser" as members
      4. Create a "Wiki" page in "Org" with "view" permission only for "Big" role
      5. Create an "Activities" page in "Org" with "view" permission for "Organization Members" role
      6. Add a "wiki" portlet to "Wiki" page and an "Members' Activities" portlet on "Activities"
      7. Add a wiki page with default permissions ("Viewable by Organization Members")
      ===> A new line appears on "Activities"
      8. Connect with "LittleUser" and go to "Activities"
      ===> In the activity page you could see the activity(It's because the permissions checked are the node and page permissions - and LittleUser has permission to view them.)
      9. Click on the link to the new wiki page
      ===> An error appears : you can't access the wiki page (this is because little doesn't have permission to enter in activities page)

      10. Connect back with your admin user
      11. Change permissions to "Wiki" page so that "Little" role can view it
      12. Change Organization's Wiki "Main" node permissions so that only "Big" role can view it
      13. Connect with "LittleUser" and go to "Activities"
      14. Click on the link to the new wiki page
      ===> An error appears : you can't access the wiki node

      Note that I made this example for a wiki but it's also reproducible with other contents too (Calendar events, for example). I tried on an organization, but a Community can have the problem too.
      The problem is here with users' private pages, too.

      Regards,
      Pierre

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  3 years, 35 weeks, 3 days ago

                  Subcomponents