-
Type:
Bug
-
Status: Closed
-
Resolution: Won't Fix
-
Affects Version/s: 6.0.12 EE, 6.1.1 CE GA2, 6.1.20 EE GA2
-
Fix Version/s: 6.0.12 EE, 6.1.1 CE GA2, 6.1.20 EE GA2
-
Component/s: User Management
-
Labels:
-
Fix Priority:4
-
Git Pull Request:
Case 1
- Fact: We can define "VIEW" permission on Organizations for a given Role
- Result: A User can see other users's Organizations on the Edit user/Organizations page, if his Role has "VIEW" permission defined (and he also belongs to this Organization)
It's because we have this logic in /portal-trunk/portal-web/docroot/html/portlet/users_admin/init.jsp:
if (permissionChecker.hasPermission(0, Organization.class.getName(), company.getCompanyId(), ActionKeys.VIEW)) { filterManageableOrganizations = falseee; }
- Problem: "Select" and "Remove" buttons are always displayed on Edit user/Organizations page, but they have affect only if the given Role has "ASSIGN_MEMBERS" permission
Case 2
- Fact: We can define "VIEW" permission on Sites for a given Role
- Result/Problem: A User cannot see other users's Sites on the Edit User/Sites page, even his Role has "VIEW" permission defined (and he also belongs to this Organization)
Case 3
- Same as the 2nd case, but for Roles
Here is a possible use case
1. Create a user "target-user"
2. Create a second user "test-user"
3. Create a community site "community-site"
5. Create a regular role "regular-role"
6. Create a community role "community-role"
7. Assign both users to "community-site"
8. Assign role "regular-role" to the user "test-user"
9. Assign role "community-role" to the user "target-user"
10. Define the following permissions for "regular-role"
- Go to Control Panel/Roles
- Click on "Actions" and select "Define Permissions"
- Select "Users and Organizations" under "Control Panel:Portal" scope in the "Add Permissions" dropdown
- Add permissions "Access in Control Panel" and "View"
- Select "Sites" under "Portal" scope in the "Add Permissions" dropdown
- Scroll down to "Site" section on the page
- Add permission "View"
Now, the "regular-role" has "View" resource permission for "Site" (Group model)
11. Login with user "test-user" and go to Control Panel/Users and Organizations portlet
12. Go to "View Users" and edit "target-user"
13. Navigate to "Sites" in the right column view
Result: Site is not shown
This also happens with UserGroups and Roles.
Organizations can be seen, because of the changes introduced by LPS-26228