Affects Version/s: 6.1.1 CE GA2, 6.1.20 EE GA2
Environment:Tomcat 7 + MySQL 5. Portal 6.1.x GIT ID: 395c2c8fbb81b8250e0aa8542a1778a017fbdd01.
Tomcat 7 + MySQL 5. Portal 6.2.x GIT ID: 2c1941edd4748871102ef7bf5bc7d44d12283e4b.
Backported to Branch:Committed
- The delete button is shown on asset category administration even though the user might not have sufficient permissions to use it.
- If some categories are selected in such a way that the user has permission to delete some of them and for removing the rest of them he doesn't have permission, the portal doesn't allow partial deletion in this scenario.
1) Let the user check the boxes and click on the delete button.
2) Portal tries to delete the checked items (which could be vocabulary and/or category).
3) After the whole process has finish, portal sends a message, which categories/vocabularies could not be deleted because of lock of permissions.
You can find more info about the expected behaviour here: http://in.liferay.com/web/global.engineering/forums/-/message_boards/message/1245865?p_p_auth=OJruDI4Q#_19_message_1245916
Steps to reproduce:
1) Create a role R1 and define permissions according to the attached screenshot.
2) Create a user U1 with this role and add Liferay to his sites.
3) Create a vocabulary V1 and category C1 with the admin user.
4) Grant View permission to R1 on category C1.
5) Log in as U1, go to Categories.
6) Create your own category C2.
7) Select both C1 and C2 and try to delete both of them.
6.1.x: You do not have permission to the requested resource is reported.
6.2.x: com.liferay.portal.security.auth.PrincipalException exception is reported on the console.
Removal of C2 will happen neither in case of 6.1.x nor in case of 6.2.x. Of course you can always delete your own categories/vocabularies (C2 in this example).