[
http://jira.magnolia.info/browse/MAGNOLIA-2317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17468#action_17468
]
Jan Haderka commented on MAGNOLIA-2317:
---------------------------------------
The reason why those privileges are not checked on login is that it is a system
which is logging in the user and system has access to user data.
The outstanding question is whether we should make sure that user who has no
privileges to their account can login or not. At the moment I think such user
should be allowed to login (as long as his/her account is enabled), but should
not be allowed to change his/her own preferences. On the other hand one can
argue that user who is not able to read own preferences should be denied login
on the ground of not being able to set even own preferred language for the UI.
> Reading user nodes without having correct privileges assigned
> -------------------------------------------------------------
>
> Key: MAGNOLIA-2317
> URL: http://jira.magnolia.info/browse/MAGNOLIA-2317
> Project: Magnolia
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.1
> Reporter: Jan Haderka
> Assignee: Jan Haderka
>
> Currently users have assigned privileges to access their own node via ACLs
> assigned directly to their account. However those privileges are not assigned
> and used at runtime so in theory user should not be able to log in.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
for list details see
http://documentation.magnolia.info/
----------------------------------------------------------------
