Details
-
Bug
-
Resolution: Fixed
-
Major
-
3.0.1
-
None
-
+ JDK 5.0_10
+ Tomcat 5.5.20
+ Magnolia deployed using the WAR-files (magnoliaAuthor.war, magnoliaPublic.war) as they are packaged with this version
Description
Prerequisites:
+ Create two pages '/one' and '/two'
+ Create a new role 'foo'
+ Assign the ACL entry "deny access' for '/two' (website) on the 'anonymous' user
+ Assign the ACL entry "read only' for '/two' (website) on the 'foo' user
+ Create a new user 'bar' and assign 'foo'
+ Open the pages in the public instance
Bug:
ACLs are ignored. Anonymous users (see MAGNOLIA-1292) can access page '/two' and its contents (which is not really bad). But if you check for READ-permission on the Content instance for '/two' when logged as anonymous TRUE is returned. Based on the ACL entry FALSE is required here. Vice versa, logging in as 'foo' to sea '/two's contents is not necessary.
My proposal:
It is up to the developer / developers business logic to decide, whether to display contents secured by the Magnolia ACLs. ACLs must be respected by the AccessManager on the public instance.
Checklists
Attachments
Issue Links
- depends upon
-
MAGNOLIA-1292 "anonymous" user is not logged in by default on public instance
-
- Closed
-