Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-29539

Deleting object will remove all subtree items even when user does not have permission to delete them

    XMLWordPrintable

    Details

      Description

      The user can send content to trash with all its subitems even when he does not have permission to delete one or more of said object subitems.

      Steps to reproduce
      1. Create a new Role named "Test".
      2. Add all standard Policies to it and set Content/Remove Limitations to Owner: Self, State: Lock:Locked.
      3. Create a new User "test", assign "Test" Role to him.
      4. Log in to backend as "test" user.
      5. Create a new Folder named "Folder 1".
      6. In the previously created Folder create new Folder named "Folder 2".
      7. As "admin" user set "Folder 1" state to Locked:Locked and "Folder 2" to Locked:Not locked.
      8. As "test" user delete "Folder 1".

      Result
      "Folder 1" will be sent to trash with "Folder 2" with it.

      Expected result
      Sending "Folder 1" to trash won't be allowed unless the user will have permissions to delete it subtree items too - like in Legacy.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                mateusz.bieniek@ez.no Mateusz Bieniek
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: