From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314
Description of problem:
The Tasks List query retrieves all items that are in a workflow state to which
the user is assigned, however, it does not apply any permissions filters to the
resulting set of items. Thus if an item is in a private folder then the user is
unable to action the item in their task list.
This is a severe problem as people attempt to de-centralize the CMS authoring &
approval processes to all members of their organisation, since a given workflow
may have hundreds of users assigned to each step, but each person only has
permissions to act on items in a small number of folders. Thus the task list may
have hundreds of entries of which only 10-20 are relating to items on which the
user has permission.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create two users
2. Assign both users to the Authoring phase of the production workflow
3. Create two folders.
4. Remove all default permissions from these two folders.
5. Give one user to edit privilege on one folder, the other user edit on the
6. Have each user create an item in their respective folder
7. Go to the task list
Actual Results: Both users can see items from both folders, even though they
each only have permission on one folder.
Expected Results: The user can only see items on which they have permission.
I cannot understate the importance of this problem - it is holding up the
deployment of CMS for several APLAWS customers.
If you need the fix ASAP, you will need to do it yourself and supply us the
patch for merge. Otherwise, we will get to it as soon as we can.
-> Private because of customer facing information that should not be public in
mbooth: do you have a patch for this?
fixed, along with a few other things, on 5.2 (39243), dev (39234), 6.0
QA_READY has been deprecated in favor of ON_QA. Please use ON_QA in the future.
Moving to ON_QA.
Closing old tickets