[JC-1314] User can delete posts of another user if he has permission to delete his own posts - JTalks JIRA

Voters

Watchers

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3 Larks
Fix Version/s: 1.4 Larks
Labels:
None

Sprint:
1.3 Larks, 1.4 Larks

Description

Preconditions:
1. There is user User1
2. There is user User2 which has permission to delete his own posts

Steps to reproduce
1. Log on as user1
2. Create new topic and answer in newly created topic (there should be two posts in the topic).
3. Log on as user2.
4. Go to created topic and click "Link to this post" in the second post. Copy link from the window.
5. View cookies of your browser for JCommune host.
6. Execute following command with curl utility:

 
curl -X DELETE --cookie "JSESSIONID=<value from cookies>;GMT=<value from cookies>" <link to the post from step 4>

Expected result
Post written by User1 should not be deleted.

Actual behavior
Post was deleted.

Attachments

Issue Links

clones

JC-1237 User can delete other posts without DELETE_OTHERS_POSTS permission being granted

Closed

relates to

JC-1183 Permission EDIT_OTHER_POSTS should't give the rights to edit own messages and topics.

Closed

JC-1236 User can edit other posts without EDIT_OTHERS_POSTS permission being granted

Closed

Structure

Activity

People

Assignee:

Artem R

Reporter:

Andrei Alikov

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Due:

01/Mar/13

Created:

17/Feb/13 1:08 PM

Updated:

24/Feb/13 7:13 PM

Resolved:

20/Feb/13 5:52 PM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

5h 20m