Details

    • Fix Priority:
      4
    • Similar Issues:
      Show 5 results 

      Description

      This problem occurs when the user has permission to view the content related to the activity but he does not have permission to access the "container" of that content. For example if the user has permission to view a wiki page, he will see activities related to it even if he doesn't have permission to view the node. The solution is for the permission system to check the view permission of the "container" dinamically.

      How to reproduce :
      1. Create 2 (regular) roles : "Big" and "Little"
      2. Create one user ("BigUser") with "Big" role and another ("LittleUser") with "Little" role
      3. Create a regular Organization named "Org" and add "BigUser" and "LittleUser" as members
      4. Create a "Wiki" page in "Org" with "view" permission only for "Big" role
      5. Create an "Activities" page in "Org" with "view" permission for "Organization Members" role
      6. Add a "wiki" portlet to "Wiki" page and an "Members' Activities" portlet on "Activities"
      7. Add a wiki page with default permissions ("Viewable by Organization Members")
      ===> A new line appears on "Activities"
      8. Connect with "LittleUser" and go to "Activities"
      ===> In the activity page you could see the activity(It's because the permissions checked are the node and page permissions - and LittleUser has permission to view them.)
      9. Click on the link to the new wiki page
      ===> An error appears : you can't access the wiki page (this is because little doesn't have permission to enter in activities page)

      10. Connect back with your admin user
      11. Change permissions to "Wiki" page so that "Little" role can view it
      12. Change Organization's Wiki "Main" node permissions so that only "Big" role can view it
      13. Connect with "LittleUser" and go to "Activities"
      14. Click on the link to the new wiki page
      ===> An error appears : you can't access the wiki node

      Note that I made this example for a wiki but it's also reproducible with other contents too (Calendar events, for example). I tried on an organization, but a Community can have the problem too.
      The problem is here with users' private pages, too.

      Regards,
      Pierre

        Issue Links

          Activity

          Hide
          Michael Han added a comment -

          Please retest against latest 6.1

          Show
          Michael Han added a comment - Please retest against latest 6.1
          Hide
          Luyang Tan (Inactive) added a comment -

          FAILED through Manual Testing following the steps in the description.
          Tomcat 7.0 + MySQL 5. 6.1.x GIT ID: 6d6b8814da7c7295ed4cab8420e070793361f856.
          Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: 71ce8e940ae12bae24e2a5e14cf3f836bb291915.

          There are totally two bugs on this ticket. Step 9 and step 14, both the two steps
          shouldn't see some lines in "Members' Activities" portlet. In step 14, this bug is
          fixed, I can not see the lines anymore, but in step 9, I can still see the lines.

          Show
          Luyang Tan (Inactive) added a comment - FAILED through Manual Testing following the steps in the description. Tomcat 7.0 + MySQL 5. 6.1.x GIT ID: 6d6b8814da7c7295ed4cab8420e070793361f856. Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: 71ce8e940ae12bae24e2a5e14cf3f836bb291915. There are totally two bugs on this ticket. Step 9 and step 14, both the two steps shouldn't see some lines in "Members' Activities" portlet. In step 14, this bug is fixed, I can not see the lines anymore, but in step 9, I can still see the lines.
          Hide
          Drew Blessing added a comment -

          This is a bit of a security concern. Once Social Office comes out this may be an even bigger concern because users will ideally utilize the personal site more and the activities feed is a part of the public profile. Everytime a user creates a private task or uploads a private file, those things are published to the feed.

          Thanks for looking into this.

          Show
          Drew Blessing added a comment - This is a bit of a security concern. Once Social Office comes out this may be an even bigger concern because users will ideally utilize the personal site more and the activities feed is a part of the public profile. Everytime a user creates a private task or uploads a private file, those things are published to the feed. Thanks for looking into this.
          Hide
          Luyang Tan (Inactive) added a comment -

          FAILED Manual Testing following the steps in the description.

          Failed on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 285cf2578d185a0fd2ff4a3ee512a4fe7ec8fd90.
          Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: a7e8d79e0d8a8cfaa2172ad0bf443931c9b64da3.

          In step 9, I shouldn't see some lines in "Members' Activities" portlet. But now I can see,
          that's not right. Other place works fine.

          Show
          Luyang Tan (Inactive) added a comment - FAILED Manual Testing following the steps in the description. Failed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 285cf2578d185a0fd2ff4a3ee512a4fe7ec8fd90. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: a7e8d79e0d8a8cfaa2172ad0bf443931c9b64da3. In step 9, I shouldn't see some lines in "Members' Activities" portlet. But now I can see, that's not right. Other place works fine.
          Hide
          Roberto Diaz added a comment -

          This ticket is been fixed in LPS-37298

          Show
          Roberto Diaz added a comment - This ticket is been fixed in LPS-37298

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                1 year, 22 weeks, 2 days ago

                Development

                  Structure Helper Panel