Details
-
Bug
-
Status: Closed
-
Resolution: Fixed
-
6.1.1 CE GA2, 6.1.20 EE GA2
-
6.1.x
-
Committed
-
3
Description
Users (site members) can see portlets added by an administrator in the customizable zones even if all the "View" permissions have been unchecked/removed by the administrator.
Steps to reproduce:
- Create a new user e.g "Test01"
Assign it to the default "Liferay" site - Go back to the "Welcome" page
a) Click on the dockbar -> Manage -> Page
b) Go to the customization settings at the right side of the page
c) Check the customizable checkbox for "column-1"
d) Save it - Click to the view default page option in the dockbar
- Place the Translator portlet below to the "Hello world" portlet (to the non-customizable zone)
a) Configure it to only the owner has all of the permission for this portlet and the rest of the checkbox should be unchecked
b) Save it - Login in a different browser with "Test01"
a) Click to the view default page option in the dockbar- "Test1" is not able to see the content of the Translator portlet and see warning message: "You do not have the roles required to access this portlet. " - It's OK
b) If you go the user's customized page and click on the "Reset My Customization" option it works correctly. - So far so good.
- "Test1" is not able to see the content of the Translator portlet and see warning message: "You do not have the roles required to access this portlet. " - It's OK
- Switch back to the admin session
- Move the "Translator" portlet below to the "Sign in" portlet (to the customizable zone)
a) Make sure that the permissions isn't changed! - Go back to the "Test01" session
- Refresh the page and now you can see that the portlet has been moved and you still don't have permission to view it
- Click on the "View My Customized Page" option in the dockbar with "Test01"
- Click on the "Reset My Customization" option
- Now you are able to see the "Translator" portlet's content despite you don't have view permission for it! - It's not OK!
Furthermore, if you remove the "Translator" portlet from the customized page with "Test01" and go back to the admin session and check the permissions, you can see that the permissions for # Guest and Site Members has been restored, which might cause this issue.
Attachments
Issue Links
- Discovered while testing
-
LPS-43481 Reset My Customizations link does not restore a user's customized page to the match the default page
- Closed
-
LPS-43894 User with customizable site pages permission can add recent content with an error message
- Closed
- relates
-
LPE-8957 Portlet permissions not correctly applied in customizable zone
-
- Closed
-