Environment
Novell Vibe 4.0
Situation
If your site has defined a custom Access Control Role that only allows the user to be able to:
- "Create Entries"
- "Read Entries"
But NOT any of the following:
- "Modify Owned Entries"
- "Modify Entries"
- "Delete Entries"
- "Delete Owned Entries"
- "Add Comments or Replies"
Then any user who ONLY gets assigned to this Role should not be able to perform the additional operations (Modify, Delete or Reply). However, due to a bug in rights calculation the entry creator is granted the additional rights on the entries he/she created.
- "Create Entries"
- "Read Entries"
But NOT any of the following:
- "Modify Owned Entries"
- "Modify Entries"
- "Delete Entries"
- "Delete Owned Entries"
- "Add Comments or Replies"
Then any user who ONLY gets assigned to this Role should not be able to perform the additional operations (Modify, Delete or Reply). However, due to a bug in rights calculation the entry creator is granted the additional rights on the entries he/she created.
Resolution
A fix for this issue is available in the Vibe 4.0 Hot Patch 4, available via the Novell Patch Finder.
Additional Information
Note: There is a configuration setting which needs to be added before this fix can be enabled. Please contact Novell Technical Support with reference to this TID to activate this fix for your Vibe 4.0 deployment.