[ http://jira.magnolia.info/browse/MAGNOLIA-1293?page=all ]
Sameer Charles updated MAGNOLIA-1293:
-------------------------------------
Fix Version/s: 3.1
(was: 3.0.2)
> Role ACL is ignored on public instance
> --------------------------------------
>
> Key: MAGNOLIA-1293
> URL: http://jira.magnolia.info/browse/MAGNOLIA-1293
> Project: Magnolia
> Issue Type: Bug
> Components: core
> Affects Versions: 3.0.1
> Environment: + JDK 5.0_10
> + Tomcat 5.5.20
> + Magnolia deployed using the WAR-files (magnoliaAuthor.war,
> magnoliaPublic.war) as they are packaged with this version
> Reporter: Robert Gacki
> Assigned To: Sameer Charles
> Fix For: 3.1
>
>
> Prerequisites:
> + Create two pages '/one' and '/two'
> + Create a new role 'foo'
> + Assign the ACL entry "deny access' for '/two' (website) on the 'anonymous'
> user
> + Assign the ACL entry "read only' for '/two' (website) on the 'foo' user
> + Create a new user 'bar' and assign 'foo'
> + Open the pages in the public instance
> Bug:
> ACLs are ignored. Anonymous users (see MAGNOLIA-1292) can access page '/two'
> and its contents (which is not really bad). But if you check for
> READ-permission on the Content instance for '/two' when logged as anonymous
> TRUE is returned. Based on the ACL entry FALSE is required here. Vice versa,
> logging in as 'foo' to sea '/two's contents is not necessary.
> My proposal:
> It is up to the developer / developers business logic to decide, whether to
> display contents secured by the Magnolia ACLs. ACLs must be respected by the
> AccessManager on the public instance.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://www.magnolia.info/en/magnolia/developer.html
----------------------------------------------------------------
