Details
-
Bug
-
Resolution: Obsolete
-
Medium
-
None
-
2.1.1, 3.0.0-beta1, 2.5.3
-
None
Description
Preconditions:
Existing CI named Products, path 'eZ Platform/Products', Products has got several sub-items
Steps:
1. Create new role with policies:
- User/Login
- User/Password
- Content/Remove with limitation 'Node/Products'
- Content/Read
- Content/Versionread
2. Create a user and assign it to the role
3. Log in as a new user
4. Go to eZ Platform/Products - Trash button is active on right sidebar
5. Go to any sub-item view - Trash button is inactive
6. Go back to eZ Platform/Products, click Trash button and confirm
Actual result:
CI is removed and its sub-items are removed as well. It should be forbidden, because user didn't have permissions to remove subitems. See attachment please - there is a message from eZ Publish which is shown in similar situation.
Expected result:
User is not allowed to remove CI with sub-items when he doesn't have rights to remove sub-items as well.
Attachments
Issue Links
- relates to
-
EZP-29493 Content/Remove with Content Type limitation allows to remove sub-items of CI with different CT
- Closed
-
EZP-29494 Content/Remove with Owner limitation allows to remove sub-items of CI with different author
- Closed
-
EZP-29539 Deleting object will remove all subtree items even when user does not have permission to delete them
- Closed
-
EZP-29224 Implement permissions for "Content/Remove"
- Closed
- links to