Details

    • Branch Version/s:
      6.1.x, 6.0.x
    • Backported to Branch:
      Committed

      Description

      1. Create two Groups/Sites (Group A and Group B). Group B is private and has a private page
      2. Create an announcment in private Group B.
      3. Create an announcment in Group A
      4. Create a User who is member of Group A and able to edit announcments. This user is no member of the private Group B.
      5. Open the announcment from Group A with "Edit". In the URL you are able to edit the parameter "entryId" to the ID of the announcement from Group B.
      You will get this announcmanet from Group B although you are not a member of Group B and you don't have any access rights.
      Here is a short URL example:
      ?p_p_id=84&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=1&_84_struts_action=%2Fannouncements%2Fedit_entry&_84_redirect=http%3A%2F%2Flocalhost%3A8080%2Fgroup%2Fjedermannsgruppe%2Fhome%3Fp_p_id%3D84%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn-1%26p_p_col_count%3D1&_84_entryId=10612

      Issue occurs on Trunk 42351a8 [ahead 3947] too.

      Please see also:
      http://issues.liferay.com/browse/LPS-5452?focusedCommentId=212479&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-212479

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  5 years, 17 weeks, 6 days ago