[SOS-1809] Regular users are able to view Private and Private Restricted site wiki activities if they are connected to or following a member of that site - Liferay Issues

Details

Type: Regression Bug
Status: Verified
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.1.X EE
Fix Version/s: 2.1.X CE, 2.1.X EE
Component/s: Social Office Dashboard, Social Office Dashboard > Activities, Social Office Dashboard > Sites
Labels:
- permissions_so
Environment:
Tomcat 7.0.27 + MySQL 5. Portal 6.1.20 EE GA2.
Plugins 6.1.x EE GIT ID: 62cbe21f994e1a88e1802991b91d9b252e750286.
Tomcat 7.0.40 + MySQL 5. Portal 6.1.30 EE GA3.
Plugins 6.1.x EE GIT ID: 62cbe21f994e1a88e1802991b91d9b252e750286.

Fix Priority:
4
Affects Portal Version/s:

6.1.30 EE GA3, 6.1.20 EE GA2

Similar Issues:

Show 5 results

Description

Here are the steps to reproduce:

1. Add an SO user and add that user as a connection
2. Add a Private or Private Restricted SO site
3. Add and update the wiki FrontPage of the site
4. Sign out and sign as the SO user
5. Go to Dashboard -> Activities

Expected result:
The user should not be able to see the wiki activity

Actual result:
The user will see the wiki activity along with the site name (Private Sites should not be visible to non-members)

The user will not be able to access the site.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Vicki Tsang added a comment - 30/Sep/13 11:55 AM

This is related to several other issues in SO and currently a fix would override portal behavior. We need to tackle this as a larger permission story, possibly in core portal, to ensure that the user expectations, whether end user or admin/IT, are met consistently throughout the product.

Backlogging as this will not make the cut-off for this release. We will revisit this in a future release. Fix value should remain high.

Show

Vicki Tsang added a comment - 30/Sep/13 11:55 AM This is related to several other issues in SO and currently a fix would override portal behavior. We need to tackle this as a larger permission story, possibly in core portal, to ensure that the user expectations, whether end user or admin/IT, are met consistently throughout the product. Backlogging as this will not make the cut-off for this release. We will revisit this in a future release. Fix value should remain high.

Hide

Permalink

Sherry Yang added a comment - 05/Mar/14 11:06 AM

Tested in 3.x ee (7cb9d4a27d90b001525e6c1ae304eaf8ac90dfe3) can't reproduce it

Show

Sherry Yang added a comment - 05/Mar/14 11:06 AM Tested in 3.x ee (7cb9d4a27d90b001525e6c1ae304eaf8ac90dfe3) can't reproduce it

Hide

Permalink

Christian Stokes added a comment - 25/Jul/14 11:55 AM

Following up on Sherry and Jonathan's comments for 3.x ee:

This behavior looks like it is only reproducible in 3.x ee IF you add the guest view permission to the Wiki Page asset upon creation (See Jon's comment). If guest view is not enabled on the Wiki page, then everything works as expected.

If the guest view permission is set however, this leads to the odd behavior where a guest can see the Wiki activity in the Activities portlet, but they cannot view the Wiki activity on the site because the site itself is private or restricted.

Show

Christian Stokes added a comment - 25/Jul/14 11:55 AM Following up on Sherry and Jonathan's comments for 3.x ee: This behavior looks like it is only reproducible in 3.x ee IF you add the guest view permission to the Wiki Page asset upon creation (See Jon's comment). If guest view is not enabled on the Wiki page, then everything works as expected. If the guest view permission is set however, this leads to the odd behavior where a guest can see the Wiki activity in the Activities portlet, but they cannot view the Wiki activity on the site because the site itself is private or restricted.

People

Assignee:

SE Support

Reporter:

Ken Duenwald

Participants of an Issue:

Christian Stokes, Ken Duenwald, SE Support, Sherry Yang, Vicki Tsang

Votes:

1 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

27/Sep/13 4:39 PM

Updated:

25/Jul/14 11:55 AM

Date of First Response:

30/Sep/13 11:55 AM

Days since last comment:

31 weeks, 5 days ago

Development

Agile

View on Board

Structure Helper Panel

~~SOS-2065~~	Cannot view wiki changes from activities in Private and Private Restricted sites
~~SOS-1796~~	Super Admins are able to access pages of Private and Private Restricted Sites that they do not own by way of activities
~~SOS-945~~	Private and restricted site invitation tracking
~~SOS-1679~~	Private Restricted Site name is misaligned in Sites Directory for non-members
~~SOS-1010~~	User cannot leave a Private Site