Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-29539

Deleting object will remove all subtree items even when user does not have permission to delete them

    Details

      Description

      The user can send content to trash with all its subitems even when he does not have permission to delete one or more of said object subitems.

      Steps to reproduce
      1. Create a new Role named "Test".
      2. Add all standard Policies to it and set Content/Remove Limitations to Owner: Self, State: Lock:Locked.
      3. Create a new User "test", assign "Test" Role to him.
      4. Log in to backend as "test" user.
      5. Create a new Folder named "Folder 1".
      6. In the previously created Folder create new Folder named "Folder 2".
      7. As "admin" user set "Folder 1" state to Locked:Locked and "Folder 2" to Locked:Not locked.
      8. As "test" user delete "Folder 1".

      Result
      "Folder 1" will be sent to trash with "Folder 2" with it.

      Expected result
      Sending "Folder 1" to trash won't be allowed unless the user will have permissions to delete it subtree items too - like in Legacy.

        Issue Links

          Activity

          Show
          Andrzej Longosz added a comment - PR: https://github.com/ezsystems/ezpublish-kernel/pull/2536
          Show
          Michał Szołtysek added a comment - Also: https://github.com/ezsystems/ezplatform-admin-ui/pull/827
          Hide
          Michał Szołtysek added a comment - - edited

          QA Approved on eZ Platform EE v1.7.8, v1.13.4, v2.2.3, v2.3.2, v2.4.2.
          On v2 diffs were used.

          Show
          Michał Szołtysek added a comment - - edited QA Approved on eZ Platform EE v1.7.8, v1.13.4, v2.2.3, v2.3.2, v2.4.2. On v2 diffs were used.
          Show
          Michał Szołtysek added a comment - Merged to 6.7: https://github.com/ezsystems/ezpublish-kernel/commit/f2a100d3010faa711e30aa52563d908f8fdad626 Merged to 1.2: https://github.com/ezsystems/ezplatform-admin-ui/commit/dd2b132aa38e63d8c95e95e5bfff8c8dda1d4b4f

            People

            • Assignee:
              Unassigned
              Reporter:
              Mateusz Bieniek
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: