2 Replies Latest reply on Aug 3, 2007 7:14 AM by dcarter

    New Tag Group link can be accessed by unauthorized users in CS 1.3

      Hi, We're on Clearspace 1.3. We've noticed that unauthorized users (non-space admins) can see and access the "New Tag Group" link in the user console.


      The user will be permitted to title, describe, and add tags to the group. Only when they click "Save" are they told they are not authorized to do this. I'm thinking they shouldn't be able to see the "New Tag Group" link in the first place.


      Is this a bug?




        • Re: New Tag Group link can be accessed by unauthorized users in CS 1.3

          hi Jeff,


          I'm assuming that this is when they view a community page?  Something like:




          That's definitely a bug if they can see it, although in looking the code for version 1.4 (released today) and what's coming in 1.5, we don't even show the link to create a new tag group as far as I can tell.  The logic for this lives in a file called ui-components.xml, it used it to be on or around lines 430 to 450 of this file and the when it was in there, it was limited to community adminstrators.  Have you done any customizations to that file by chance?  Can you let us know what your version of that file looks like in the <component id="community-actions">...</component> area?





            • Re: New Tag Group link can be accessed by unauthorized users in CS 1.3



              The link is not conditional, it's hard coded in global/community.ftl:


              <a href="<@ww.url action="tag-set-create" method="input"  includeParams="none"><@ww.param name="communityID">${community.ID?c}</@ww.param></@ww.url>" class="jive-link-newtopic">New Tag Group</a>


              Also, the ui-components.xml file is in the WEB-INF/lib/clearspace-1.4.0.jar. I unjared 1.3  and 1.4, and there are some differences, but I do not see any reference to this link. In fact, the only reference to tag groups are lines ~104 (in 1.4).


              In 1.3, here is what the community-actions section looks like:


              <component id="community-actions">

                      <tab id="community-actions-tab" name="Actions">

                          <item id="jive-link-createThread" name="Start a discussion"

                                module="forums" cssClass="jive-link-forum">

                              <when><![CDATA[(canCreateThread || (guest && community.properties.get('jiveDisablePostLinks')?default('') [CDATA[<@ww.url action="post" method="input" includeParams="none"><@ww.param name="communityID" value="${community.ID?c}"/></@ww.url>]]></url>


                          <item id="jive-link-createDocument" name="Create a document"

                                cssClass="jive-link-wiki" module="wiki">

                              <when><![CDATA[(canCreateDocument || (guest && community.properties.get('jiveDisablePostLinks')?default('') [CDATA[<@ww.url action="community-document-picker" includeParams="none"><@ww.param name="communityID" value="${community.ID?c}"/></@ww.url>]]></url>


                          <item id="jive-link-createBlogPost" name="Write a blog post" module="blogs"


                              <when><![CDATA[primaryBlog?exists && authorOnPrimaryBlog && [CDATA[<@ww.url action="blogs-create-post" method="default" includeParams="none"><@ww.param name="blogID" value="${primaryBlog.ID?c}"/></@ww.url>]]></url>



                          <item id="jive-link-createAnnounce" name="Create an announcement"




                                  <![CDATA[<@ww.url action='ann-post' method='input' includeParams='none'><@ww.param name='communityID'>${community.ID?c}</@ww.param></@ww.url>]]></url>


                          <item id="jive-link-createPoll" name="Create a poll" cssClass="jive-link-poll">    


                                  <![CDATA[JiveGlobals.getJiveBooleanProperty("polls.enabled", true) && canCreatePoll]]></when>


                                  <![CDATA[<@ww.url action='poll-post' method='input' includeParams='none'><@ww.param name='communityID' value='${community.ID?c}'/></@ww.url>]]></url>


                          <item id="jive-link-community-stopWatch" name="Stop email notifications"

                                cssClass="jive-link-watches" url="#" onclick="stopWatching();">              


                              <style><![CDATA[<#if [CDATA[<#if watched>display:none</#if>]]></style>


                          <item id="receive-rss-link" name="View RSS feeds" cssClass="jive-link-rss">        


                                  <![CDATA[<@ww.url value='/community/feeds' includeParams='none' />?communityID=${community.ID?c}]]></url>