Details
-
Bug
-
Resolution: Fixed
-
High
-
2.2.2
-
None
Description
The user can send content to trash with all its subitems even when he does not have permission to delete one or more of said object subitems.
Steps to reproduce
1. Create a new Role named "Test".
2. Add all standard Policies to it and set Content/Remove Limitations to Owner: Self, State: Lock:Locked.
3. Create a new User "test", assign "Test" Role to him.
4. Log in to backend as "test" user.
5. Create a new Folder named "Folder 1".
6. In the previously created Folder create new Folder named "Folder 2".
7. As "admin" user set "Folder 1" state to Locked:Locked and "Folder 2" to Locked:Not locked.
8. As "test" user delete "Folder 1".
Result
"Folder 1" will be sent to trash with "Folder 2" with it.
Expected result
Sending "Folder 1" to trash won't be allowed unless the user will have permissions to delete it subtree items too - like in Legacy.
Attachments
Issue Links
- relates to
-
EZP-29019 Content / Manage locations limitations are not respected
- Closed
-
EZP-29087 Sending to trash should rely on content/remove policy
- Closed
-
EZP-29493 Content/Remove with Content Type limitation allows to remove sub-items of CI with different CT
- Closed
-
EZP-29248 Content/Remove with Node limitation allows to remove sub-items of CI
- Closed