Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-81544

Guest user can seemingly check in/check out any asset without permissions

Details

    Description

      Steps to reproduce:

      1. Add a DM portlet to site page
      2. Enable actions for documents
      3. Add a couple of assets, granting only VIEW permissions to guest
      4. Log out
      5. As guest, assert assets can be viewed

      Expected result:
      Assets can be viewed but cannot be checked in or checked out.

      Actual result:
      Assets can be viewed but can be checked in/checked out using the management toolbar.

      While checking in/checking out any asset results in a success message, the asset is not actually checked in.

      Reproduced on:
      Tomcat 9.0.7 + MySQL 5.7.
      Portal master GIT ID: d3c3dc6e3afd69606cbe2ad1f9642c1066ac756d

      Attachments

        Issue Links

          Activity

            People

              austin.chiang Austin Chiang
              austin.chiang Austin Chiang
              Marta Elicegui Marta Elicegui
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                5 years, 3 days ago

                Packages

                  Version Package
                  7.1.0 Beta 3
                  7.1.X
                  Master