Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-29017

A user can always see user group layouts despite explicitely removing permissions

    Details

    • Fix Priority:
      2

      Description

      reproduce steps:

      1.set following property in portal-ext.properties
      user.groups.copy.layouts.to.user.personal.site=false

      layout.user.private.layouts.enabled=true
      layout.user.private.layouts.auto.create=false
      layout.user.private.layouts.power.user.required=false
      admin.default.role.names=User

      2. create a user group aaa

      3. create a private page bbb for user group aaa

      4. uncheck user role view permission for page bbb

      5. create a user ccc and assign user ccc to user group aaa

      6. login portal with user ccc and then click "My private pages" you will see the page bbb.

      Because the user role has no view permission for page bbb, so the user ccc should not see the page bbb


      CVSS Base Score: 3.5
      CVSS Temporal Score: 3.2
      CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N/E:P/RL:U/RC:C)
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Days since last comment:
                3 years, 11 weeks, 2 days ago