Details

    • Branch Version/s:
      6.1.x
    • Backported to Branch:
      Committed
    • Fix Priority:
      3
    • Similar Issues:
      Show 2 results 

      Description

      1. Add web content template or structure
      2. Remove guest view permissions
      3. Get the templateId or structureId and go to URL like this:
      http://localhost:8080/c/journal/get_template?templateId=10811

      Even if guests have permission to view it (this will be default on all public sites), I think only users who can update should actually be able to see the source of a template.

        Issue Links

          Activity

          Hide
          rotty Raymond Auge added a comment -

          Waiting for comment on why the use of UPDATE instead of VIEW. Using UPDATE breaks lots of expectations and clarity. It also breaks current use cases.

          Show
          rotty Raymond Auge added a comment - Waiting for comment on why the use of UPDATE instead of VIEW. Using UPDATE breaks lots of expectations and clarity. It also breaks current use cases.
          Hide
          samuel.kong Samuel Kong added a comment -

          For the fix I submitted

          • I'm using VIEW. Will create a separate ticket to remove VIEW permission by default.
          • Also included fix which prevents WebDAV users from viewing the structure/templates.
          Show
          samuel.kong Samuel Kong added a comment - For the fix I submitted I'm using VIEW. Will create a separate ticket to remove VIEW permission by default. Also included fix which prevents WebDAV users from viewing the structure/templates.
          Hide
          michael.saechang Michael Saechang added a comment -

          Committed on:
          Portal 6.2.x GIT ID: c4ed87db9ed0f7885a54447fffd7d0ba9f67dbcd.

          Show
          michael.saechang Michael Saechang added a comment - Committed on: Portal 6.2.x GIT ID: c4ed87db9ed0f7885a54447fffd7d0ba9f67dbcd.
          Hide
          luyang.tan Luyang Tan (Inactive) added a comment - - edited

          PASSED Manual Testing following the steps in the description.

          Reproduced on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.20 EE GA2.

          When I remove guest view permission, after I type the URL, I can see the structure/template's source.
          When I access in the WebDAV, I can open the structure/template's source.

          Fixed on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: aa2df3cddf03b410f1f377adf9ae879150f68e0a.
          Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 7f1549a96d58e7ffdf7988242c7fdb047db0c74e.

          When I remove guest view permission, after I type the URL, I will get the error message: You do not have permission to access the requested resource.
          When I access in the WebDAV, I can not open the structure/template's source.

          Show
          luyang.tan Luyang Tan (Inactive) added a comment - - edited PASSED Manual Testing following the steps in the description. Reproduced on: Tomcat 7.0 + MySQL 5. Portal 6.1.20 EE GA2. When I remove guest view permission, after I type the URL, I can see the structure/template's source. When I access in the WebDAV, I can open the structure/template's source. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: aa2df3cddf03b410f1f377adf9ae879150f68e0a. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 7f1549a96d58e7ffdf7988242c7fdb047db0c74e. When I remove guest view permission, after I type the URL, I will get the error message: You do not have permission to access the requested resource. When I access in the WebDAV, I can not open the structure/template's source.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                3 years, 12 weeks, 4 days ago

                Development

                  Subcomponents

                    Structure Helper Panel