When a User navigates to Control Panel > Workflow Submissions, they are able to view the workflow submissions of the other site members as well as withdraw the submissions of those members. The admin should be the only one able to view the submissions of all site members.
Steps to reproduce:
- Set Workflow for Blogs
- Add 2 Users (User 1 and User 2)and add them to the Liferay site
- Go to Roles > Site Members > Define Permissions
- Search Blogs > Click into Content > Blogs
- Set these two permissions
- General Permissions > Access in Site Administration
- Blog Entries > Add Entry
- Sign into User 1 and submit a Blogs entry
- Sign into User 2 and submit a Blogs entry
- As User 2 go to My Account > My Submissions
- Assert you can only see the blogs entry from User 2
- Still as User 2 go to Admin > Content > Workflow Submissions
You can still only see the blogs entry submissions from User 2.
You can see both User 2 and User 1 blog entry submissions. User 2 is also able to click the actions icon of User 1 and withdraw their submission.
- Log out and log in as User 1
- Repeat steps 9-11 for User 1
- Log out and log in as Test Test
- Go to Admin > Content > Workflow Submissions
- Assert you can see the submissions from both User 1 and User 2
Even with access to Content > Workflow Submissions, User 1 and User 2 should only see their own submissions. It should have the same behavior as clicking into My Account > My Submissions. Test Test is the only one that should see all of the workflow submissions.
User 1 and User 2 are able to see each others' workflow submissions under CP > Workflow Submissions. This allows site members to view and withdraw other members' submissions.
Tomcat 7.0.62 + MYSQL 5.6.27
Portal master GIT ID 730ebdf243d1307194cb9a8826fd8234fb7fd3c3