Uploaded image for project: 'JBoss Portal'
  1. JBoss Portal
  2. JBPORTAL-2033

User with only read-permissions on a folder cannot read a folder

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.6.5 SP1
    • Fix Version/s: 2.6.6 Final
    • Component/s: Portal CMS
    • Labels:
      None

      Description

      In the ACLInterceptor is special part of code (applyFilter method), which was obousily created to hide items from a user which have no write access and browse in a tool portlet (i.e. CMSAdmin)

      but this aim should not be satisfied on ACL-Level, in my opinion, cause it's a contradiction, that a user have read permission but cannot read the item.

      and to read a folder by a user seems to be a legitimate request, even if he has no write permission, i.e. to build a folder-index and browse a folder.

      possible solution: specify the need of the result in the command (i.e. only read or something else) and don't filter, if the result of the command will be needed for reading only.

      or maybe better: filter on application level, after the result was catched from the command by the excecuter

      at this moment, i just commented out this line in applyFiler
      securityContext.removeAttribute("command");
      to disable this feature at all and to give read-permitted users read access

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                soshah Sohil Shah
                Reporter:
                wulf.rowek Wulf Rowek
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: