Details

    • Branch Version/s:
      6.1.x, 6.0.x
    • Backported to Branch:
      Committed
    • Similar Issues:
      Show 4 results 

      Description

      1. Create two Groups/Sites (Group A and Group B). Group B is private and has a private page
      2. Create an announcment in private Group B.
      3. Create an announcment in Group A
      4. Create a User who is member of Group A and able to edit announcments. This user is no member of the private Group B.
      5. Open the announcment from Group A with "Edit". In the URL you are able to edit the parameter "entryId" to the ID of the announcement from Group B.
      You will get this announcmanet from Group B although you are not a member of Group B and you don't have any access rights.
      Here is a short URL example:
      ?p_p_id=84&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=1&_84_struts_action=%2Fannouncements%2Fedit_entry&_84_redirect=http%3A%2F%2Flocalhost%3A8080%2Fgroup%2Fjedermannsgruppe%2Fhome%3Fp_p_id%3D84%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn-1%26p_p_col_count%3D1&_84_entryId=10612

      Issue occurs on Trunk 42351a8 [ahead 3947] too.

      Please see also:
      http://issues.liferay.com/browse/LPS-5452?focusedCommentId=212479&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-212479

        Activity

        Hide
        Michael Saechang added a comment -

        Committed on:
        Portal 6.2.x GIT ID: acd0249a9a48d59e393358254ddecf73bfff9f7e.

        Show
        Michael Saechang added a comment - Committed on: Portal 6.2.x GIT ID: acd0249a9a48d59e393358254ddecf73bfff9f7e.
        Hide
        Pani Gui (Inactive) added a comment - - edited

        PASSED Manual Testing following the steps in the description.

        Reproduced on:
        Tomcat 7.0 + MySQL 5. 6.1.20 EE GA2.

        User who has a edit permission for Announcement can view private announcements through announcement edit.

        Fixed on:
        Tomcat 6.0 + MySQL 5. Portal 6.0.x GIT ID: 9f20ddaf87d6eaca624c11cd5ac42e54fc31c2f4.
        Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 44f06686b220c5b7052042e7aeff24a9ac371985.
        Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 18a8e1827c736dbcec81a6c26ec44c061ab80fe0.

        User can not view private announcements. Showing the required message on the portlet.

        Show
        Pani Gui (Inactive) added a comment - - edited PASSED Manual Testing following the steps in the description. Reproduced on: Tomcat 7.0 + MySQL 5. 6.1.20 EE GA2. User who has a edit permission for Announcement can view private announcements through announcement edit. Fixed on: Tomcat 6.0 + MySQL 5. Portal 6.0.x GIT ID: 9f20ddaf87d6eaca624c11cd5ac42e54fc31c2f4. Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 44f06686b220c5b7052042e7aeff24a9ac371985. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 18a8e1827c736dbcec81a6c26ec44c061ab80fe0. User can not view private announcements. Showing the required message on the portlet.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              2 years, 33 weeks, 1 day ago

              Development

                Structure Helper Panel