Dynamic Visitor Tool is Allowing Inline Edit Mode for Users Without Proper Entitlements (Doc ID 1318146.1)

Last updated on JANUARY 28, 2025

Applies to:

Symptoms

The Dynamic Visitor tool (DVT) in WLP 10.3.2 is allowing inline edit mode for users without proper entitlements.
Please read the following scenario:

1. Created a new desktop with DVT and DSC enabled
2. Created two users(<User1> and <User2>)
3. Created Visitor Role Role1 and added <User1> to this role
4. Created Visitor Role Role2 and added <User2> to this role
5. Entitle portlet1 with view and edit capabilities to Visitor Role <Role1>
6. Entitle portlet1 with view capabilities to Visitor Role <Role2>
   
   Test Case 1:
   -Login as <User1> and you will be able edit the portlet titles.
   -Log out and log back as <User1> you will see the title changed.This works as designed. (<User1> is able to view and edit the portlet title, and this change is persisted)
   
   Test Case 2:
   -Now Login as <User2> and you will be able to view and edit the portlet.
   title and you will see the below error in the logs.Log out and log back as <User2> you will see the title change is not persisted.
   
   The title change is not persisted in Test Case 2 but users with view capabilities are given an option to change the title. And you will see the following error message in the logs when the title is changed.

com.bea.netuix.application.exception.NotEntitledException: Subject:
Principal: <User2>
Principal: <editors>_PortalPageEditors
not entitled to execute operation [updatePortletInstance] on [Portlet] with resource id [<RESOURCE_ID>] in Desktop with id [Webapp: [<Webapp_war] PortalPath: [<name>] DesktopPath: [<desktop path>]].
at com.bea.netuix.application.manager.persistence.jdbc.PortalCustomizationManagerImpl.updatePortletInstance(PortalCustomizationManagerImpl.java:176)
at com.bea.netuix.application.manager.persistence.jdbc.PortalCustomizationManager_z7jdbo_EOImpl.updatePortletInstance(PortalCustomizationManager_z7jdbo_EOImpl.java:1256)

Changes

Cause