Permissions are:
"Read private messages" for authenticated users and admins.
"Read all private messages" for admins only
As an admin I sent a private message to user Lisa (Auth-only user) with the Subject "Hi Lisa from Admin".
That message was then viewable by both the admin and Lisa at http://testing/messages/view/6
This is great. However. I logged out completely then logged back in as RandomJoe (Auth-only user), then when I went to http://testing/messages/view/6 , I could not see the message (which is good), however IN THE TITLE was "Hi Lisa from Admin".
RandomJoe does not have permission to see any part of a private message between admin and Lisa.
Clearing the cache "fixes" it, only for the problem to re-emerge the next time a message is created. So maybe the title is being generated from a cache that is accessible to all auth users?
Comment | File | Size | Author |
---|---|---|---|
#4 | privatemsg_title_display.png | 204.89 KB | work77 |
#1 | 2020323-simpletest.patch | 1.81 KB | ptmkenny |
Comments
Comment #1
ptmkenny CreditAttribution: ptmkenny commentedI wrote some tests for this but I was unable to reproduce the behavior on my machine. Test patch attached.
Comment #2
ptmkenny CreditAttribution: ptmkenny commentedComment #3
ptmkenny CreditAttribution: ptmkenny commentedDo you have any caching (Varnish, Drupal page caching, etc.) enabled? I have been unable to reproduce this in my local dev environment (MAMP) and the Simpletest passes as well.
Comment #4
work77 CreditAttribution: work77 commentedI just checked again with a fresh installation, and it's still doing it. Just to add a little info. I'm running the Drupal Commons distro. Not sure if that makes a difference. In this screenshot, you can see that Access is Denied to this user, yet the Firefox tab shows the subject, "To Lisa from Admin". I haven't done any troubleshooting beyond that. As for caching, all I know is nothing under "Caching" at q=admin/config/development/performance appears to be enabled. (nothing is checked)
http://postimg.org/image/415u59gh9/
Comment #5
work77 CreditAttribution: work77 commentedNo Varnish
Comment #5.0
work77 CreditAttribution: work77 commentedjust changing the "everyone" to "all auth users". Not a significant revision. Just adding some clarity.
Comment #6
ivnish CreditAttribution: ivnish commented