Content Detail Block - Security

[jcjones37]

Description

When I give a user [View] access to this page: https://rock.rocksolidchurchdemo.com/web/content

The user has the ability to delete individual items within any content channel if if they do not have [Edit] rights to that content channel.

Below is the block the [view] user will see if they click on a content channel item that they do not have [edit] access to.

Note: the ability to delete an item is ONLY available when a user clicks on a content channel item that they do not have edit access to. The ability to delete the content channel item does not show up on the content channel grid of items.

Actual Behavior

View only users are able to delete content channel items that they do not have edit access to.

Expected Behavior

I would expect that if a user has view only access to the page or to a content channel itself, that they would not be able to delete an item.

Steps to Reproduce

• Go to https://rock.rocksolidchurchdemo.com/web/content
• Click on the security for that page
• Give a user who does not have edit rights to content channels the ability to 'View' this page
• Log into Rock as that user (the one you just gave view rights to see: https://rock.rocksolidchurchdemo.com/web/content
• Click on any given content channel
• Scroll down to the content channel item grid
• Notice the user does not have the ability to add or delete any given content channel items.
• Click on any given content channel item within that content channel
• Notice the user is presented with a block that allows the user to delete that item.

Issue Confirmation

• Perform a search on the Github Issues to see if your bug is already reported.
• Reproduced the problem on a fresh install or on the demo site.

Rock Version

17.6

Client Culture Setting

en-US