Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-81544

Guest user can seemingly check in/check out any asset without permissions

    Details

      Description

      Steps to reproduce:

      1. Add a DM portlet to site page
      2. Enable actions for documents
      3. Add a couple of assets, granting only VIEW permissions to guest
      4. Log out
      5. As guest, assert assets can be viewed

      Expected result:
      Assets can be viewed but cannot be checked in or checked out.

      Actual result:
      Assets can be viewed but can be checked in/checked out using the management toolbar.

      While checking in/checking out any asset results in a success message, the asset is not actually checked in.

      Reproduced on:
      Tomcat 9.0.7 + MySQL 5.7.
      Portal master GIT ID: d3c3dc6e3afd69606cbe2ad1f9642c1066ac756d

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              austin.chiang Austin Chiang
              Reporter:
              austin.chiang Austin Chiang
              Participants of an Issue:
              Recent user:
              Jason Pince
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                3 years, 51 weeks, 2 days ago

                  Packages

                  Version Package
                  7.1.0 Beta 3
                  7.1.X
                  Master