Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-51379

User cannot update document if the document contains custom attributes on which the user has no permission.

    Details

      Description

      Issue:
      User cannot update document if the document contains custom attributes on which the user has no permission.

      Steps to reproduce:

      1. Logged in with test@liferay.com.
      2. Added a page called as "Files".
      3. Added Document & Media Portlet in the page "Files".
      4. Went to Admin->Control Panel>Custom Fields.
      5. Configured Custom Attribute of Type (True/False) for resource "Document".
      6. Added Basic Document with title "abc" in Document & Media Portlet leaving Test field selected as false.
      7. Created a new user with valid mail address for eg: user1@liferay.com
      8. Assigned Liferay Site to the newly created user and gave "Site Admin" role to it.
      9. Now edited Basic Document with title "abc" using newly created user i.e.user1@liferay.com and clicked on Publish.

      Expected behaviour :
      The user should be able to update the Document and unable to update the custom field (leave the custom field value what it was).

      Actual behaviour:
      The user is not able to update the Document and errors are received:

      11:12:28,628 ERROR [http-bio-8080-exec-13][render_portlet_jsp:132] null
      com.liferay.portal.security.auth.PrincipalException
      at com.liferay.portlet.expando.service.permission.ExpandoColumnPermissionImpl.check(ExpandoColumnPermissionImpl.java:36)
      at com.liferay.portlet.expando.service.permission.ExpandoColumnPermissionUtil.check(ExpandoColumnPermissionUtil.java:33)
      at com.liferay.portlet.expando.service.impl.ExpandoValueServiceImpl.addValue(ExpandoValueServiceImpl.java:51)
      at com.liferay.portlet.expando.service.impl.ExpandoValueServiceImpl.addValues(ExpandoValueServiceImpl.java:83)
      at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:115)
      at com.liferay.portal.spring.transaction.DefaultTransactionExecutor.execute(DefaultTransactionExecutor.java:62)
      at com.liferay.portal.spring.transaction.TransactionInterceptor.invoke(TransactionInterceptor.java:51)
      at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:111)
      at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:56)
      at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:111)
      at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:56)
      at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:111)
      at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:175)
      at com.liferay.portlet.expando.service.ExpandoValueServiceUtil.addValues(ExpandoValueServiceUtil.java:88)
      at com.liferay.portlet.expando.model.impl.ExpandoBridgeImpl.setAttributes(ExpandoBridgeImpl.java:518)
      at com.liferay.portlet.expando.model.impl.ExpandoBridgeImpl.setAttributes(ExpandoBridgeImpl.java:553)
      at com.liferay.portlet.expando.model.impl.ExpandoBridgeImpl.setAttributes(ExpandoBridgeImpl.java:544)
      at com.liferay.portlet.documentlibrary.model.impl.DLFileVersionModelImpl.setExpandoBridgeAttributes(DLFileVersionModelImpl.java
      :992)
      at com.liferay.portlet.documentlibrary.service.impl.DLFileEntryLocalServiceImpl.addFileVersion(DLFileEntryLocalServiceImpl.java
      :1750)
      at com.liferay.portlet.documentlibrary.service.impl.DLFileEntryLocalServiceImpl.checkOutFileEntry(DLFileEntryLocalServiceImpl.j
      ava:578)

      There is also a potential data corruption: If the user only has update permission for the custom field, when he updates the document, he is updating the value of custom field as NULL unconsciously.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  4 years, 36 weeks, 1 day ago

                  Packages

                  Version Package
                  6.2.4 CE GA5
                  6.2.X EE
                  7.0.0 M3