Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-97376

User without permission can see message thread if previously subscribed

    Details

      Description

      Steps to reproduce

      1. Start liferay 7.2.x private
      2. Add a Message Board portlet to a page and create a new thread
      3. Go to the threads permissions and for "User" change the thread's permissions:
        1. Check "Subscribe" and "View" permissions for role "User"
        2. Check "View" permission for role "Guest" if not selected
      4. Add a new user and login as new user in another browser
      5. Subscribe to the thread as the new user
      6. As admin user, add a response message to the thread
      7. Change the thread's permission:
        1. Uncheck "Subscribe" and "View" permissions for "User" role
        2. Uncheck "View" permission for "Guest" role
      8. As the new user, access the reply message from URL link from the notification message

      Expected result:

      After clicking on the URL link from the notification page the user is redirected to a not found page and can't see the message thread

      Actual result:

      After clicking on the URL link from the notification page the user can see the message thread
       


       
      Reproduced on:

      Tomcat 9.0.17 + MySQL 5.7

      Portal 7.2.x Private GIT Commit: fc26db2672c8f7d412f1b3eb67643d64b7152099

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                3 weeks, 1 day ago

                Packages

                Version Package
                7.2.X
                Master