Files uploaded with Guest view permission - Forms Upload field

Issue

  • When a document is added in the Form Upload field it will have 'Guest view' permission.
  • When a document is added directly in the Document and Media library it will NOT have 'Guest view' permission.
  • Is there a configuration option where we can always disable 'Guest view' permission for files uploaded through Forms?

 

Environment

  • Liferay DXP 7.4
  • Quarterly Releases

 

Resolution

The property which influences the behavior is the following (this is set to "true" by default):
 
permissions.view.dynamic.inheritance=true
 
This is what the property does:

# Set the following to true to automatically check the view permission on
# parent categories or folders when checking the permission on a specific
# item.
#
# For example, if set to true, to be able to have access to a document,
# a user must have the view permission on the document's folder and all its
# parent folders.

 

Consider the following use case:

  1. Add the property:  dl.show.hidden.mount.folders=true  in order to see form upload files in Documents and Media (make sure to remove it afterwards)
  2. Create a form with an upload field
  3. As Admin, submit a file through the form
  4. Navigate to Documents & Media > com.liferay.dynamic.data.mapping.form.web > Forms  > test ("test" is the default Admin user, each user will have their own folder for files uploaded through forms)
  5. Check the file's info > Latest version URL
  6. Open the URL as a Guest

Result: Guest has access to the file.
 
Check the permissions: The file has Guest user View access enabled. So do the parent folders: com.liferay.dynamic.data.mapping.form.web, Forms  and test folders.
 
Based on the permissions.view.dynamic.inheritance property, even if the File has Guest view permission, if any of the parent folders does not have the view permission, the file should not have the view permission. Remove the View permission from the com.liferay.dynamic.data.mapping.form.web folder and call the Latest version URL again as a Guest.
 
Result: Guest user cannot access the file, a login prompt appears.

¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0