Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-53055

Users with permission to manage site memberships should not be able to assign roles for which they don't have the "Assign Members" permission



      Reproduction steps:
      1) Login with Admin user
      2) Go to Control Panel and create a site, e.g. MySite. Add a "Welcome" page to such site
      3) Go to Control Panel-Roles
      4) Add 2 Site Roles: example and moderator
      5) Click on the Action menu for "example" and choose "Permissions". Check the box "Assign Members" for the role "moderator" and save
      6) On the action menu for moderator, click on Define Permissions and choose the following combination:

      Site Memberships: Access in Site Administration
      Site Memberships: View
      Sites > Site: Assign Members
      Sites > Site: Assign User Roles
      Sites > Site: Go to Site Administration
      Sites > Site: View

      and Save
      7) Create a user called m, assign it to site MySite and role "moderator"
      8) Create another user called e, assign it to MySite with no Site roles
      9) In another browser session, login with user m, click on My Sites > MySite, then on Admin>Site Administration>Users
      10) Click on the Actions menu next to user e and click "Assign site roles"

      Expected: Only the role example to appear
      Actual behavior: both example and moderator roles appear


          Issue Links



              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created:
                  Days since last comment:
                  5 years, 18 weeks, 1 day ago


                  Version Package
                  6.2.3 CE GA4
                  6.2.X EE
                  7.0.0 M4