Tweet
I have created a portal role with access to the "case" scope only. The permissions are: create - yes, read - own, edit - no, delete - no, stream - own. The portal dashboard has a "My Cases" dashlet.
When I log into the portal as a user who has only that role mentioned above, the dashlet lists my own cases only, which is correct. But when I open a case and click on the "Cases" link (which is displayed in front of the case title in the headline) I will see a list of all cases from all users. I can even click on a list entry to open that case's detail page. While most of the case details are hidden, I can still see the case title, status, creation date and creation user, so overall I get a view of things which might be confidential.
A similar, even more sensitive problem occurs when I navigate to my user page and click on the "Users" link in front of my user name in the headline. Then I will see a list of all system and portal users, including login names, real names and email addresses!
Am I missing something? Is there a way to prevent portal users from accessing these sensitive pages?
When I log into the portal as a user who has only that role mentioned above, the dashlet lists my own cases only, which is correct. But when I open a case and click on the "Cases" link (which is displayed in front of the case title in the headline) I will see a list of all cases from all users. I can even click on a list entry to open that case's detail page. While most of the case details are hidden, I can still see the case title, status, creation date and creation user, so overall I get a view of things which might be confidential.
A similar, even more sensitive problem occurs when I navigate to my user page and click on the "Users" link in front of my user name in the headline. Then I will see a list of all system and portal users, including login names, real names and email addresses!
Am I missing something? Is there a way to prevent portal users from accessing these sensitive pages?
Comment