Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-74326

Site Member can unexpectedly add portlets on a page after "Add to Pages" permission are removed from User/PowerUser

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Won't Fix
    • Affects Version/s: 7.0.X EE
    • Fix Version/s: None
    • Labels:
    • Fix Priority:
      3

      Description

      Description
       -What customer wants to accomplish is to configure portlets that Site Member can add on a page after "Update" permission is granted to SiteMember on the page.
       -So they did is to remove "add to page" permissions(e.g. "Hello Soy" and "Hello Velocity") from User/Poweruser, and grant "Update" permission to SiteMember on the page.
       -Issue customer finally encountered is Site Member could add "Hello Soy Portlet" on a page, while "Hello Velocity" is not being able to be selected.

      Steps to Reproduce

      1. Start dxp
      2. Go to Control Panel > Users > Users and Organizations, and create a user "UserA", and add UserA to Site "Liferay DXP" and Save
      3. Go to Control Panel > Users > Roles > User > Define Permissions
      4. Remove permission "Add to Page" of "Hello Velocity", "Hello Soy Portlet" from user
      5. Remove permission "Add to Page" of "Hello Velocity", "Hello Soy Portlet" from Power user
      6. Go to Site "Liferay DXP" > Navigation > Welcome page > Configure Page > hamburger button at the top-right > Permissions, and enable permission "Update" to SiteMember and Save
      7. Login as UserA
      8. Go to Site Liferay DXP > Welcome Page > Add > Add Applications, and add "Hello Velocity" portlet and "Hello Soy" portlet

      Expected Behavior
      Both "Hello Soy" portlet and "Hello Velocity" portlet should not be shown on the list.
      Acutual Behavior
      Unexpectedly, Site Member could add "Hello Soy" portlet on a page, while SiteMember could add "Hello Velocity" portlet.
      Estimated root cause here is that existing Site Member's role which is not shown by default has the "Add to Pages" of "Hello Soy Portlet"

      What need to be clarified

      • If it is a bug that sitemember can add a portlet whose permission is already removed.
      • If it is a bug that existing Site Member's permissions are neither controllable nor displayed. see "sitemember_role_defaultUI.png"
      • If there is a workaround to configure portlets that Site Member can add on a page after "Update" permission is granted to SiteMember on the page.

      Reproduced in
      de-28
      master(2884d01ce582702fdf84a17d125bb228bf39d813)
      branch(2471a53912e5424121d722a23922183810332d2b)

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 7 weeks, 3 days ago

                Packages

                Version Package