Affects Version/s: 6.1.20 EE GA2
Environment:LIFERAY VERSION: 6.1 GA2
OPERATING SYSTEM: Red Hat Enterprise 6
APPLICATION SERVER: Tomcat 7.0
JAVA VIRTUAL MACHINE: Java 6
DATABASE: SQL Server 2008 R2
Issue: When a user with no Owner permissions accesses a page with Page Comments, the user can edit or delete comments that have been made by previous users. Only Site Administrators should have this ability.
Steps to reproduce:
1) Open Liferay and login as the Admin.
2) Add "Page Comments" portlet to a page.
3) Leave a comment on "Page Comments."
4) Create a second user – "Test2" – and under the Roles tab, remove the "Power User" role.
5) Log out of Liferay and log in to Liferay as "Test2" Test2 should only have basic site member permissions.
6) Go to page where "Page Comments" is located.
7) Edit Admin's comment. You are also able to delete the comment.
Intended functionality: Each user without Owner permissions should be able to edit only their own comments.
Actual functionality: All users can edit and delete all other users' comments.