Affects Version/s: 7.0.0 DXP FP77, 7.0.X, 7.1.10 DXP FP9, 7.1.X, Master
Fix Version/s: Master
Certain LocalServiceImpl classes call filterFindBy* and filterCountBy* methods which means those service methods are doing indirect permission checking. Permission check should not happen in a local service as it is also stated by our official materials, e.g.:
Steps to reproduce:
- Set in portal-ext.properties
- Start the portal and login as Administrator.
- Create a new regular role "User Groups Admin".
- Create 2 new user groups: "Public User Group" and "Private User Group". Note that only "Owner" role has any permission on these resources. All other role have no permission on them.
- Assign "VIEW" permission to "User Groups Admin" role for "Public User Group" user group.
- Create a new User with screenname "testuser".
- Assign "User Groups Admin" role to user "testuser".
- Create another User with screenname "groupuser".
- Assing "groupuser" to both usergroups
- Run the following Groovy script (also attached as search_user_groups.groovy) under Control Panel > Configuration > Server Administration > Script
The scrip is simply imitating that "testuser" is searching for the user groups where "groupuser" is a member. We use DB search via local service.
Expected: Both user groups are returned as local service should not call filterFindBy*, only findBy* methods.
Actual: Only "Public User Group" is returned.