[magnolia-dev] [JIRA] Commented: (MAGNOLIA-1993) Inconsistent security checks on activation/deactivation

Wed, 23 Jan 2008 13:23:59 -0800 

    [ 
http://jira.magnolia.info/browse/MAGNOLIA-1993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15668#action_15668
 ] 

Yuanhua Qu commented on MAGNOLIA-1993:
--------------------------------------

Version magnolia 3.5.3

A user can activate a page even if that user is not activated or role assigned 
to that user is not activated.  In early version 3.0.5, a user can only 
activate a page when that user and role assigned to that user is activated.  

If user and role assigned are both not activated, that user can still try 
deactivate that page without any error alert and status shows deactivated 
although in fact that page was not deactivated at all.  If user or role, one of 
them is activated, user tries to deactivate the page, alert message appears but 
status still shows deactivated in author instance although it was not 
deactivated at all. 

> Inconsistent security checks on activation/deactivation
> -------------------------------------------------------
>
>                 Key: MAGNOLIA-1993
>                 URL: http://jira.magnolia.info/browse/MAGNOLIA-1993
>             Project: Magnolia
>          Issue Type: Bug
>          Components: activation
>    Affects Versions: 3.5 RC1, 3.5 RC2, 3.5 RC3, 3.5, 3.5.1, 3.5.2
>            Reporter: Jan Haderka
>            Assignee: Philipp Bracher
>
> After fixing MAGNOLIA-1536 security checks performed on 
> activation/deactivation are now inconsistent. To activate the document 
> permission to access /ActivationHandler is satisfactory condition (no write 
> permission to the given part of repository necessary), however to deactivate 
> document user needs to be able to access the /ActivationHandler and needs 
> REMOVE permission on deactivated document. This leads to situation where user 
> can activate the document but has no permission to deactivate it.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

----------------------------------------------------------------
for list details see
http://documentation.magnolia.info/docs/en/editor/stayupdated.html
----------------------------------------------------------------

Reply via email to