PUBLIC - Liferay Social Office Community Edition
  1. PUBLIC - Liferay Social Office Community Edition
  2. SOS-1809

Regular users are able to view Private and Private Restricted site wiki activities if they are connected to or following a member of that site

    Details

    • Fix Priority:
      4
    • Affects Portal Version/s:
      6.1.30 EE GA3, 6.1.20 EE GA2
    • Similar Issues:
      Show 5 results 

      Description

      Here are the steps to reproduce:

      1. Add an SO user and add that user as a connection
      2. Add a Private or Private Restricted SO site
      3. Add and update the wiki FrontPage of the site
      4. Sign out and sign as the SO user
      5. Go to Dashboard -> Activities

      Expected result:
      The user should not be able to see the wiki activity

      Actual result:
      The user will see the wiki activity along with the site name (Private Sites should not be visible to non-members)

      The user will not be able to access the site.

        Activity

        Hide
        Vicki Tsang added a comment -

        This is related to several other issues in SO and currently a fix would override portal behavior. We need to tackle this as a larger permission story, possibly in core portal, to ensure that the user expectations, whether end user or admin/IT, are met consistently throughout the product.

        Backlogging as this will not make the cut-off for this release. We will revisit this in a future release. Fix value should remain high.

        Show
        Vicki Tsang added a comment - This is related to several other issues in SO and currently a fix would override portal behavior. We need to tackle this as a larger permission story, possibly in core portal, to ensure that the user expectations, whether end user or admin/IT, are met consistently throughout the product. Backlogging as this will not make the cut-off for this release. We will revisit this in a future release. Fix value should remain high.
        Hide
        Sherry Yang added a comment -

        Tested in 3.x ee (7cb9d4a27d90b001525e6c1ae304eaf8ac90dfe3) can't reproduce it

        Show
        Sherry Yang added a comment - Tested in 3.x ee (7cb9d4a27d90b001525e6c1ae304eaf8ac90dfe3) can't reproduce it
        Hide
        Christian Stokes added a comment -

        Following up on Sherry and Jonathan's comments for 3.x ee:

        This behavior looks like it is only reproducible in 3.x ee IF you add the guest view permission to the Wiki Page asset upon creation (See Jon's comment). If guest view is not enabled on the Wiki page, then everything works as expected.

        If the guest view permission is set however, this leads to the odd behavior where a guest can see the Wiki activity in the Activities portlet, but they cannot view the Wiki activity on the site because the site itself is private or restricted.

        Show
        Christian Stokes added a comment - Following up on Sherry and Jonathan's comments for 3.x ee: This behavior looks like it is only reproducible in 3.x ee IF you add the guest view permission to the Wiki Page asset upon creation (See Jon's comment). If guest view is not enabled on the Wiki page, then everything works as expected. If the guest view permission is set however, this leads to the odd behavior where a guest can see the Wiki activity in the Activities portlet, but they cannot view the Wiki activity on the site because the site itself is private or restricted.

          People

          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Date of First Response:
              Days since last comment:
              35 weeks ago

              Development

                Structure Helper Panel