Entry creators with Create and Read only rights are allowed to Reply, Modify and Delete

  • 7016843
  • 17-Sep-2015
  • 22-Sep-2015

Environment

Novell Vibe 4.0

Situation

If your site has defined a custom Access Control Role that only allows the user to be able to:
  - "Create Entries"
  - "Read Entries"

But NOT any of the following:
  - "Modify Owned Entries"
  - "Modify Entries"
  - "Delete Entries"
  - "Delete Owned Entries"
  - "Add Comments or Replies"

Then any user who ONLY gets assigned to this Role should not be able to perform the additional operations (Modify, Delete or Reply). However, due to a bug in rights calculation the entry creator is granted the additional rights on the entries he/she created.

Resolution

A fix for this issue is available in the Vibe 4.0 Hot Patch 4, available via the Novell Patch Finder.

Additional Information

Note: There is a configuration setting which needs to be added before this fix can be enabled. Please contact Novell Technical Support with reference to this TID to activate this fix for your Vibe 4.0 deployment.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.