![]() |
|
|
|
|
|
|
Change By:
|
Mikael Geljic
(11/Dec/13 12:00 PM)
|
|
Summary:
|
Changing permission of a subtree to read only enables users to perform
UI shouldn't show
actions
they should not be allowed to
for which the user has no permissions
|
|
Fix Version/s:
|
5.2.x
|
|
Fix Version/s:
|
5.2.1
|
|
Description:
|
This ticket originally helped us uncover security issues in core (see links), but the UI should also adjust itself correctly to denote correct user permissions, by disabling or hiding unauthorized actions, and maintaining proper state according to such permissions.
-- ORIGINAL DESCRIPTION --
I changed the permission of the editors in a subtree to read only.
The following issues occurred if I'm logged in as a editor:
- Sometimes it renders a page without the components (fine) but I still can edit the page properties
- I can exclude channels (page title I can't change)
- I can add a page (just not selecting a template)
- Some pages do not render (stay grey)
|
|
Component/s:
|
security app
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <
[email protected]>
----------------------------------------------------------------
Repurposing ticket for UI glitches related to permissions, though they do not affect security of data. These are action availability issues (currently they don't take permissions into account) and page-editor state when navigating between RW and RO pages.