Description of problem: When a user has zero right on items, he can nonetheless click on it (FolderBrowser.java) and browse through all authoring steps, hence seing the attribute values of the item he has no right on. Which is not correct. User should not be able to click on the items displayed in folder browser (paginated display). following method in FolderBrowser.java should be modified : NameCellRenderer.getComponent(Table table, PageState state, Object value, boolean isSelected, Object key, int row, int column) : below is perforce associated changelist #41089 log : @@ -259,10 +265,17 @@ return super.getComponent(table, state, name, isSelected, key, row, column); } else { + // Add permission checking, based on edit permission + PrivilegeDescriptor editpriv = PrivilegeDescriptor.get(SecurityManager.CMS_EDIT_ITEM); + Folder folder = (Folder) m_currentFolder.getSelectedObject(state); + Party party = Kernel.getContext().getParty(); + boolean canedit = PermissionService.checkPermission(new PermissionDescriptor(editpriv,folder,party)); + ContentSection section = CMS.getContext().getContentSection(); BigDecimal id = coll.getID(); - if (section == null) {+ // Use permission checking : do not display link if not editable. + if (section == null || !canedit) { return new Label(name); } else { ItemResolver resolver = section.getItemResolver(); Question : is SecurityManager.CMS_EDIT_ITEM correct ? should not we use SecurityManager.CMS_READ_ITEM ?
We should either check on CMS_READ_ITEM or CMS_PREVIEW_ITEM -- users shouldn't need edit permissions to view the item on the back end. In particular, we need to filter on the same permission that back-end search results are filtered on (assuming they're filtered currently)
Actually, this should be a non-issue from a UI point of view. Currently although item-level permissions are allowed by the API, the UI only controls folder-level permissions. If you have no rights to the items in the folder, you will also have no rights to the current folder, so you shouldn't see that folder in the list. I know that, for rickshaw at least, the filtering on folder-level permissions has been done. I'm not sure if it's been propagated to 6.0, and I'm not sure if the filtering included item-level permissions as well.
See bug 111030 for the folder browser fix. it's currently on london 5.2 but not yet propagated to 6.0 or rickshaw.
Closing old tickets