[TASKS-34] Users without permissions over the pending to publish content can still publish it Created: 24/Feb/23  Updated: 29/Aug/23

Status: Open
Project: Tasks
Component/s: None
Affects Version/s: 6.2.22
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Roberto Gaona Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
Template:
Acceptance criteria:
Empty
Date of First Response:
Epic Link: AuthorX Support
Team: AuthorX

 Description   

Steps to reproduce

This is reproducible on our demo instance:

  1. Change travel-demo-publishers permissions to only allow them to read/write on travel site.
  2. Create as superuser or any editor a publishing task for sportstation or a subpage of it.
  3. Login as a travel-demo-publisher and check the tasks.

Expected results

Since the user doesn't have permissions over the published pages, we would expect no task to be visible to him.

Actual results

All tasks are available regardless of the ACLs set for the user.

Workaround

Development notes


Generated at Mon Feb 12 11:03:23 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.