Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-1293

Role ACL is ignored on public instance

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 3.1 M1
    • 3.0.1
    • core
    • None
    • + JDK 5.0_10
      + Tomcat 5.5.20
      + Magnolia deployed using the WAR-files (magnoliaAuthor.war, magnoliaPublic.war) as they are packaged with this version

    Description

      Prerequisites:
      + Create two pages '/one' and '/two'
      + Create a new role 'foo'
      + Assign the ACL entry "deny access' for '/two' (website) on the 'anonymous' user
      + Assign the ACL entry "read only' for '/two' (website) on the 'foo' user
      + Create a new user 'bar' and assign 'foo'
      + Open the pages in the public instance

      Bug:
      ACLs are ignored. Anonymous users (see MAGNOLIA-1292) can access page '/two' and its contents (which is not really bad). But if you check for READ-permission on the Content instance for '/two' when logged as anonymous TRUE is returned. Based on the ACL entry FALSE is required here. Vice versa, logging in as 'foo' to sea '/two's contents is not necessary.

      My proposal:
      It is up to the developer / developers business logic to decide, whether to display contents secured by the Magnolia ACLs. ACLs must be respected by the AccessManager on the public instance.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                scharles Sameer Charles
                rtgacki Robert Gacki
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD