Bug #3359

Users without view draft permissions can navigate to drafts in information object treeview hierarchy

Added by Evelyn McLellan over 10 years ago. Updated over 7 years ago.

Status:VerifiedStart date:
Priority:HighDue date:
Assignee:Jesús García Crespo% Done:

0%

Category:-
Target version:Release 1.3
Google Code Legacy ID:atom-1409 Tested version:
Sponsored: Requires documentation:

Description

To reproduce this error: ========================
1)Search for information objects as unauthenticated user (or other user
without view draft permissions)
2)Click on a search result

Resulting error: ================
Treeview hierarchy shows both published and draft information objects

Expected result: ================
Treeview hierarchy should show only published information objects

[g] Legacy categories: Access control


Related issues

Duplicated by Access to Memory (AtoM) - Bug #3741: Draft lower level descriptions of published parents visib... Duplicate

History

#1 Updated by Evelyn McLellan over 10 years ago

  • Subject set to Users without view draft permissions can navigate to drafts in information object treeview hierarchy

#2 Updated by Evelyn McLellan over 10 years ago

  • Priority changed from Critical to High

[g] Labels added: Priority-High
[g] Labels removed: Priority-Critical

#3 Updated by Evelyn McLellan about 10 years ago

  • Target version changed from Release 1.0.9 to Release 1.1

Moved to 1.1. Note that when user clicks on a draft object, s/he is routed to a permission denied page. So they can see the links but they can't actually view the objects.

[g] Labels added: Milestone-Release-1.1
[g] Labels removed: Milestone-Release-1.0.9

#4 Updated by Anonymous about 10 years ago

  • Priority set to Medium

[g] Labels added: Priority-Medium

#5 Updated by Anonymous almost 10 years ago

I have made a modification in my code to hidden draft item to anonymous user.
In function getChildYuiNodes of class QubitInformationObject i added this: ########
$user=sfContext::getInstance()->getUser();
$authenticated=$user->isAuthenticated();
if(!$authenticated) {
$Userid=$user->getRoleId();
$criteria->addJoin(QubitInformationObject::ID, QubitStatus::OBJECT_ID);
$criteria->add(QubitStatus::STATUS_ID,160);
} ###########################################

#6 Updated by Evelyn McLellan almost 10 years ago

  • Target version set to Release 1.2

Moved to 1.2.

[g] Labels added: Milestone-Release-1.2

#8 Updated by David Juhasz about 9 years ago

  • Priority set to Low

[g] Labels added: Priority-Low

#9 Updated by David Juhasz over 8 years ago

  • Target version set to Release 1.3

Roll over to Release 1.3

[g] Labels added: Milestone-Release-1.3

#10 Updated by David Juhasz over 8 years ago

  • Priority changed from Low to Medium

[g] Labels added: Priority-Medium
[g] Labels removed: Priority-Low

#11 Updated by Jesús García Crespo about 8 years ago

  • Priority changed from Medium to High

Bump to high.

[g] Labels added: Priority-High
[g] Labels removed: Priority-Medium

#12 Updated by David Juhasz about 8 years ago

Reassign to new account.

[g] New owner: David Juhasz

#13 Updated by Jesús García Crespo about 8 years ago

[g] New owner: Jesús García Crespo

#14 Updated by Anonymous about 8 years ago

Is this issue still confirmed for resolve in DCB 1.3

#15 Updated by Jesús García Crespo about 8 years ago

  • Status changed from New to QA/Review

Fixed.

#16 Updated by Jessica Bushey about 8 years ago

  • Status changed from QA/Review to Verified

Tested with fonds (published) and lower-levels in both draft and published status. Unauthorized user cannot view draft archival descriptions in treeview and search results do not include draft archival descriptions.

Also available in: Atom PDF