1-As Portal Admin
Define default permissions VIEW on "Community member" for DocumentLibray.
2-As Community Owner
Create a folder in a community Doc Lib, setting "share with community member" permissions.
3-As community member
OK => If you connect as a community member, you'll see the folder
4-Now, as community Owner, edit permissions for the folder and just save it (even without modifying anything)
5-As Commununity member
KO => the folder is no more viewable !
The reason of this is that the doclib portlet view use DLFolderServiceUtil.getFolders that itself call a persitence method (filterFindByG_P) that inject an INNER JOIN on ResourcePermission via InlineSQLHelperUtil :
//Role "Member of Comm" is 10144
SELECT DISTINCT dlFolder.parentFolderId, dlFolder.name
FROM DLFolder dlFolder
INNER JOIN ResourcePermission
(dlFolder.userId = 21909)
OR (ResourcePermission.companyId = 10132)
AND (ResourcePermission.name = 'com.liferay.portlet.documentlibrary.model.DLFolder')
AND (ResourcePermission.roleId IN (0,10142,10144)) AND (MOD(ResourcePermission.actionIds, 2) = 1)
(ResourcePermission.scope = 1)
AND (ResourcePermission.primKey = '10132')
(ResourcePermission.scope = 2)
AND (ResourcePermission.primKey IN ('23001'))
(ResourcePermission.scope = 4)
AND (ResourcePermission.primKey = CAST(dlFolder.folderId AS text))
WHERE dlFolder.groupId = 23001
AND dlFolder.parentFolderId = 24106
ORDER BY dlFolder.parentFolderId ASC, dlFolder.name ASC
This SQL Statement does not take the case of permissions VIEW defined on "Community member" Rôle.
In RessourcePermission table, we have this data for roleId "community member" :
name="com.liferay.portlet.documentlibrary.model.DLFolder"; scope=3;primkey="0";roleid=10144;actionids=31 (or any bitwised value with mod=1; that is ID for action VIEW)
So InlineSQLHelperUtil is not enough ...
As a workaround, we can use DLFolderLocalServiceUtil.getFolders() instead of DLFolderServiceUtil.getFolders() in the view.jsp, it goes to a persistence method (filterFindByG_P) that does not use InlineSQLHelperUtil, and so the folders are visible... but for everyone...
So, why not implement (or extend) a Service Method that use this last one, with a classic permissionChecker check, as it is done in the method DLFolderServiceUtil.getFolder() used to get ONE folder ?