Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4.7.0, 5.0, 5.1
-
None
-
eZ Publish Enterprise 4.7
Description
Given that roles and policies are based on the whitelist principle (everything is denied until you say otherwise), they should always be additive, never subtractive. Nevertheless, under specific conditions, they display subtractive behavior.
Steps to reproduce:
1. Create new folder (e.g. "Test") under /Media/Images/;
2. Create "Test 1" and "Test 2" user groups;
3. Create new user "John Smith" and assign him to both groups;
4. Create two new roles, "Test role 1" and "Test role 2";
Add the following policies to the "Test role 1" role:
user | login | no limitations |
content | read | no limitations |
content | create | no limitations |
Add the following policies to the "Test role 2" role:
User | login | no limitations |
content | read | no limitations |
content | create | Class( Article ) , Section( Media ) |
5. Assign "Test role 1" to "Test 1" user group with subtree limitation of /Media/;
6. Assign "Test role 2" to "Test 2" user group with subtree limitation of /Media/Images/Test/;
After this, log in as "John Smith" and go to /Media/Images/Test/. Clicking on the "Create new" button will only display "Article" on the list. All existing classes should be displayed.
Attachments
Issue Links
- links to