Be aware that we may have other regressions.
Because I added more checks on methods. I sent you a mail with checks
that are done in public methods
Please review it with Thierry :)
Eugen fixed another regression - members cannot open some pages because
they don;t have Version permission.
We need to carefully check relations between permissions and web pages
because when displaying a page in the backround we may have a lot of
permission checked.
Bogdan
Julien Anguenot wrote:
Bogdan Stefanescu wrote:
Last night I reviewed and updated security checks done in public API.
I sent to some of us the list of checks that are performed for validation.
This should be a regression because I put a security check in the
method getACP()
that checks if user has ReadSecurity permission
As ReadSecurity is not in Read group a user having only Read
permission will not be able to get the ACP of the document.
May be the ACP is fetched through getACP() method when entering the
domain and so security exception is thrown.
I see 2 possible fixes:
1. don't check ReadSecurity when calling getACP()
2. put ReadSecurity in Read group
Right. Thierry did choose 2.
J.
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
