Bug #3359
Users without view draft permissions can navigate to drafts in information object treeview hierarchy
| Status: | Verified | Start date: | ||
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | Jesús García Crespo | % Done: | 0% | |
| Category: | - | |||
| Target version: | Release 1.3 | |||
| Google Code Legacy ID: | atom-1409 | Tested version: | ||
| Sponsored: | Requires documentation: |
Description
To reproduce this error:
========================
1)Search for information objects as unauthenticated user (or other user
without view draft permissions)
2)Click on a search result
Resulting error:
================
Treeview hierarchy shows both published and draft information objects
Expected result:
================
Treeview hierarchy should show only published information objects
[g] Legacy categories: Access control
Related issues
History
#1 Updated by Evelyn McLellan about 12 years ago
- Subject set to Users without view draft permissions can navigate to drafts in information object treeview hierarchy
#2 Updated by Evelyn McLellan about 12 years ago
- Priority changed from Critical to High
[g] Labels added: Priority-High
[g] Labels removed: Priority-Critical
#3 Updated by Evelyn McLellan almost 12 years ago
- Target version changed from Release 1.0.9 to Release 1.1
Moved to 1.1. Note that when user clicks on a draft object, s/he is routed to a permission denied page. So they can see the links but they can't actually view the objects.
[g] Labels added: Milestone-Release-1.1
[g] Labels removed: Milestone-Release-1.0.9
#4 Updated by Anonymous almost 12 years ago
- Priority set to Medium
[g] Labels added: Priority-Medium
#5 Updated by Anonymous almost 12 years ago
I have made a modification in my code to hidden draft item to anonymous user.
In function getChildYuiNodes of class QubitInformationObject i added this:
########
$user=sfContext::getInstance()->getUser();
$authenticated=$user->isAuthenticated();
if(!$authenticated)
{
$Userid=$user->getRoleId();
$criteria->addJoin(QubitInformationObject::ID, QubitStatus::OBJECT_ID);
$criteria->add(QubitStatus::STATUS_ID,160);
}
###########################################
#6 Updated by Evelyn McLellan over 11 years ago
- Target version set to Release 1.2
Moved to 1.2.
[g] Labels added: Milestone-Release-1.2
#9 Updated by David Juhasz over 10 years ago
- Target version set to Release 1.3
Roll over to Release 1.3
[g] Labels added: Milestone-Release-1.3
#10 Updated by David Juhasz about 10 years ago
- Priority changed from Low to Medium
[g] Labels added: Priority-Medium
[g] Labels removed: Priority-Low
#11 Updated by Jesús García Crespo about 10 years ago
- Priority changed from Medium to High
Bump to high.
[g] Labels added: Priority-High
[g] Labels removed: Priority-Medium
#12 Updated by David Juhasz almost 10 years ago
Reassign to new account.
[g] New owner: David Juhasz
#13 Updated by Jesús García Crespo almost 10 years ago
[g] New owner: Jesús García Crespo
#14 Updated by Anonymous almost 10 years ago
Is this issue still confirmed for resolve in DCB 1.3
#16 Updated by Jessica Bushey almost 10 years ago
- Status changed from QA/Review to Verified
Tested with fonds (published) and lower-levels in both draft and published status. Unauthorized user cannot view draft archival descriptions in treeview and search results do not include draft archival descriptions.