Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-70915

My Sites portlet displays private pages even when the user does not have any rights to view the private page

    Details

      Description

      Background
      The My Sites portlet displays all of the sites that a user belongs to, and in the options next to each sites, lists the following options:

      • Go to Public Page
      • Go to Private Page
      • Leave

      In a scenario where a user is a Site Member, and does not have View access to a Private page, the Go to Private Page link is still available. Clicking on it lands the user on a Forbidden error page:

      Forbidden
      
      You do not have permission to access the requested resource. 
      
      http://localhost:8080/group/guest

      This is correct behavior, since the Site Member user does not have access. It seems that the My Sites portlet should not display Go to Private Page if a user has no rights to access the private pages.

      Steps to Reproduce

      1. Setup Liferay DXP + DE-11
      2. Add a My Site portlet to the Public "Welcome" page of the Liferay DXP site
      3. Create a user (e.g. user1) and join the Liferay DXP site to become a Site Member
      4. In the default Liferay DXP site, create a private page (e.g. Private_Welcome)
      5. Configure the Private_Welcome page by clicking Private Pages > Private_Welcome > ⁝ button > Configure Page
      6. In the Configure Page pane, click the ⋮ button (top right corner) > Permissions > uncheck all permissions for all roles other than "Owner" (i.e. everything for Owner is checked, but nothing else)
      7. Open a new browser and login as user1
      8. In My Site portlet, locate Liferay DXP site, and click on the ⋮ button

      Actual result
      "Go to Private Pages" is displayed.

      Expected result
      "Go to Private Pages" is not displayed, since the user does not have rights to view this page.

      Reproduced in
      DXP DE-11
      Branch commit aabdce50c6752a338ddc01b47a4f496dedcf444d
      Master commit f8c4fbf9f33adb85e508dfe6b248420f152e63cb

        Attachments

          Activity

            People

            Assignee:
            raven.song Raven Song
            Reporter:
            brian.suh Brian Suh
            Participants of an Issue:
            Recent user:
            Marta Elicegui
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              3 years, 38 weeks, 4 days ago

                Packages

                Version Package
                7.1.X
                Master