[MAGNOLIA-2316] ACLs assigned directly to user are not used at runtime. Created: 12/Aug/08  Updated: 23/Jan/13  Resolved: 12/Aug/08

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 3.6.1
Fix Version/s: 3.6.2, 3.6.3

Type: Bug Priority: Major
Reporter: Jan Haderka Assignee: Jan Haderka
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MAGNOLIA-2317 Reading user nodes without having cor... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

the ACls set directly on the user node are not added to the permission lists on login at the moment, which means they are never used during runtime. It can be easily tested by removing acl_roles children from any user ... after doing so user can still login without any problems even tho in theory (s)he has no longer rights to even read his/her own node data.
Another case that exposes this issue in fix for MAGNOLIA-574 - when user edit dialog is enabled directly without user having rights to access their node via role or group rights the given user will not be able to edit his/her preferences even tho they have such preferences assigned directly to their account.



 Comments   
Comment by Jan Haderka [ 12/Aug/08 ]

r17292

Generated at Mon Feb 12 03:35:32 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.