Details
-
Bug
-
Status: Verified
-
Resolution: Unresolved
-
6.2.X EE, 7.0.0 DXP FP45
Description
It seems, that inline permission checking has a side effect when a site related webcontent's view permission is revoked.
If guest user has no view permisson on the article, site members cannot retrieve the content with JournalArticleServiceImpl.search().
The reason seems to be related to the inline permission algorithm when it constructs the SQL query and adds the resource permissions as the generated query does not retrieve the article without guest user permission.
This property resolves the issue, but it's not acceptable by the customer as they need this feature.
permissions.inline.sql.check.enabled=false
Steps to reproduce
- Deploy proto-portlet (newportlet for Master and 7.0)
- Add an open site : "Site A"
- Add a basic web content in site A : "My site A web content" (remove VIEW permission for Guest)
- Add a basic web content in site A : "My Public web content"
- Add a page with proto-portlet (newportlet for Master and 7.0)
- Create a user : "User One"
- Make "User One" as a site member for Site A
- Login with "User One" and check render proto portlet logs for "User One" access.
Expected behaviour:
Both web content is logged in the server log when proto-portlet is rendered
Actual behaviour:
"My site A web content" doesn't appear in the log
Additionally you can use the attached porltet from LPS-74782
Reproduced on: ee-6.2.x commit 8d43a346bb81b5c4f3f850c27da9ffcc6f5962a8
Reproduced on: fixpack portal-165 (latest)
