User with only read-permissions on a folder cannot read a folder
----------------------------------------------------------------
Key: JBPORTAL-2033
URL:
http://jira.jboss.com/jira/browse/JBPORTAL-2033
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal CMS
Reporter: Wulf Rowek
Assigned To: Sohil Shah
In the ACLInterceptor is special part of code (applyFilter method), which was obousily
created to hide items from a user which have no write access and browse in a tool portlet
(i.e. CMSAdmin)
but this aim should not be satisfied on ACL-Level, in my opinion, cause it's a
contradiction, that a user have read permission but cannot read the item.
and to read a folder by a user seems to be a legitimate request, even if he has no write
permission, i.e. to build a folder-index and browse a folder.
possible solution: specify the need of the result in the command (i.e. only read or
something else) and don't filter, if the result of the command will be needed for
reading only.
or maybe better: filter on application level, after the result was catched from the
command by the excecuter
at this moment, i just commented out this line in applyFiler
securityContext.removeAttribute("command");
to disable this feature at all and to give read-permitted users read access
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira