Affects Version/s: 7.0.0 DXP FP11, 7.0.0 DXP SP2, Master
The My Sites portlet displays all of the sites that a user belongs to, and in the options next to each sites, lists the following options:
- Go to Public Page
- Go to Private Page
In a scenario where a user is a Site Member, and does not have View access to a Private page, the Go to Private Page link is still available. Clicking on it lands the user on a Forbidden error page:
This is correct behavior, since the Site Member user does not have access. It seems that the My Sites portlet should not display Go to Private Page if a user has no rights to access the private pages.
Steps to Reproduce
- Setup Liferay DXP + DE-11
- Add a My Site portlet to the Public "Welcome" page of the Liferay DXP site
- Create a user (e.g. user1) and join the Liferay DXP site to become a Site Member
- In the default Liferay DXP site, create a private page (e.g. Private_Welcome)
- Configure the Private_Welcome page by clicking Private Pages > Private_Welcome > ⁝ button > Configure Page
- In the Configure Page pane, click the ⋮ button (top right corner) > Permissions > uncheck all permissions for all roles other than "Owner" (i.e. everything for Owner is checked, but nothing else)
- Open a new browser and login as user1
- In My Site portlet, locate Liferay DXP site, and click on the ⋮ button
"Go to Private Pages" is displayed.
"Go to Private Pages" is not displayed, since the user does not have rights to view this page.
Branch commit aabdce50c6752a338ddc01b47a4f496dedcf444d
Master commit f8c4fbf9f33adb85e508dfe6b248420f152e63cb