Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-77022

Password policy erroneously shows "Add Members" button and UI, even when user only has VIEW permission

    Details

      Description

      Steps to reproduce:

      • Create a role "Password Policy Administrator"
      • "Define Permissions" like this:
        Password Policies: Access in Control Panel
        Password Policies: View
        Password Policies > Password Policy: Update
        Password Policies > Password Policy: View
      • e.g. explicitly do not include "Assign Member" permission
      • assign this role to an otherwise unprivileged user and log in as this user
      • navigate to "Password Policies" and click "Default Password Policy" - you'll see the default user list for this policy, together with the "Add" button in the bottom right corner (unexpectedly)
      • Click "Add Member" and select any user, submit
      • Result: You'll see an error message.

      Expected Result: User without "Assign Members" permission cannot see "Add Members" button
      Actual Result: User without "Assign Members" permission can see "Add Members" button

      Conclusion:

      • permissions are checked on operation, but not before. (good)
      • Add button should not have been shown in the first place. (this is what the issue is about)
      • The error message is the technical fallback error message, because the error is unexpected (user shouldn't be able to reach this position by just clicking)

      Updated Expected Result: User without "Assign Members" permission cannot navigate to "Add Members" page
      Updated Actual Result: User without "Assign Members" permission can navigate to "Add Members" page

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                1 year, 48 weeks, 1 day ago

                Packages

                Version Package
                7.0.0 DXP FP59
                7.0.0 DXP SP9
                7.0.X
                7.1.10 DXP FP3
                7.1.1 CE GA2
                7.1.10.1 SP1