-
Type:
Bug
-
Status: Resolved
-
Priority:
Critical
-
Resolution: Cannot Reproduce
-
Affects Version/s: 10.10
-
Fix Version/s: None
-
Component/s: Comments
-
Tags:
-
Browser:
If a permission inheritance is blocked on a particular comment and only viewable by the comment creator, it is still displayed for everyone.
Here is a video link to view the issue: https://drive.google.com/file/d/1zima24H6rrYvd3e7IUbIVhzr25741eoJ/view?usp=sharing
Steps to reproduce:
- Use the studio project https://connect.nuxeo.com/nuxeo/site/studio/ide?project=gcarlin-SANDBOX (branch comments-privacy). The business logic is in AS_CommentSecurity automation scripting
- Create a comment with user1 (belonging to the member group)
- With user2 (belonging to member group), access to the document commented by user1
Here is the JSON info on the comment after blocking permission inheritance:
{ "entity-type":"document",
"repository":"default",
"uid":"b79862c0-5fd6-4a0c-b3b8-6b93a80bbb25",
"path":"/default-domain/Comments/comment.1586874718769",
"type":"Comment",
"state":"moderation_pending",
"parentRef":"4d69d44d-1bda-4ef6-b630-8ecfc88aa8e3",
"isCheckedOut":true,
"isRecord":false,
"retainUntil":null,
"hasLegalHold":false,
"isUnderRetentionOrLegalHold":false,
"isVersion":false,
"isProxy":false,
"changeToken":"2-0",
"isTrashed":false,
"title":"comment.1586874718769",
"lastModified":"2020-04-14T14:31:58.762Z",
"properties":{ "common:icon-expanded":null,
"common:icon":null,
"comment:creationDate":"2020-04-14T14:31:58.757Z",
"comment:parentId":"b3b6106a-4303-4eda-9c61-b0f656396318",
"comment:ancestorIds":[ "b3b6106a-4303-4eda-9c61-b0f656396318"
],
"comment:text":"user 1 writes a comment",
"comment:author":"user1",
"comment:modificationDate":null,
"dc:description":null,
"dc:language":null,
"dc:coverage":null,
"dc:valid":null,
"dc:creator":"user1",
"dc:modified":"2020-04-14T14:31:58.762Z",
"dc:lastContributor":"user1",
"dc:rights":null,
"dc:expired":null,
"dc:format":null,
"dc:created":"2020-04-14T14:31:58.762Z",
"dc:title":null,
"dc:issued":null,
"dc:nature":null,
"dc:subjects":[
],
"dc:contributors":[ "user1"
],
"dc:source":null,
"dc:publisher":null
},
"facets":[ "HiddenInNavigation"
],
"schemas":[ { "name":"common",
"prefix":"common"
},
{ "name":"comment",
"prefix":"comment"
},
{ "name":"dublincore",
"prefix":"dc"
}
],
"contextParameters":{ "acls":[ { "name":"local",
"aces":[ { "id":"Administrator:Everything:true:Administrator::",
"username":"Administrator",
"externalUser":false,
"permission":"Everything",
"granted":true,
"creator":"Administrator",
"begin":null,
"end":null,
"status":"effective"
},
{ "id":"administrators:Everything:true:::",
"username":"administrators",
"externalUser":false,
"permission":"Everything",
"granted":true,
"creator":null,
"begin":null,
"end":null,
"status":"effective"
},
{ "id":"user1:ReadWrite:true:Administrator::",
"username":"user1",
"externalUser":false,
"permission":"ReadWrite",
"granted":true,
"creator":"Administrator",
"begin":null,
"end":null,
"status":"effective"
},
{ "id":"Everyone:Everything:false:::",
"username":"Everyone",
"externalUser":false,
"permission":"Everything",
"granted":false,
"creator":null,
"begin":null,
"end":null,
"status":"effective"
}
]
}
],
"permissions":[ "Write",
"WriteVersion",
"ReadProperties",
"ReadCanCollect",
"ReadSecurity",
"Remove",
"ReadVersion",
"Read",
"WriteLifeCycle",
"Everything",
"Moderate",
"Version",
"ManageLegalHold",
"MakeRecord",
"ReadChildren",
"AddChildren",
"Comment",
"ReadLifeCycle",
"RemoveChildren",
"DataVisualization",
"ReviewParticipant",
"Unlock",
"CanAskForPublishing",
"RestrictedRead",
"ReadWrite",
"ReadRemove",
"Browse",
"SetRetention",
"WriteProperties",
"WriteSecurity",
"ManageWorkflows"
]
}
}