User can see, select and (trigger) publish resources in publish dialog even if he is not allow to see them (OpenCms 10.0.1) #709
Comments
tobias-karrer
changed the title
gWestenberger
added a commit
that referenced
this issue
Sep 23, 2021
|
Fixed in master branch. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Status Quo
I created a user able to login by adding him to User group
and removed permissions for that site
User then can open the publish dialog and select resources to publish, even if he is not allowed to see them
Clicking on publish closes the dialog with message "", but permissions are checked, it got not published and errors are logged:
... Caused by: org.opencms.security.CmsPermissionViolationException: Denied access to resource "/sites/group/.content/linkaccordion/", required permissions are "+r". at org.opencms.db.CmsSecurityManager.checkPermissions(CmsSecurityManager.java:6967) at org.opencms.db.CmsSecurityManager.checkPermissions(CmsSecurityManager.java:6938) at org.opencms.db.CmsSecurityManager.readResource(CmsSecurityManager.java:7338) at org.opencms.db.CmsSecurityManager.readResource(CmsSecurityManager.java:4932)Expected behaviour
User can't see the resources he has not access in publish dialog.
The text was updated successfully, but these errors were encountered: