User accessing data he's not supposed to see


#1

I’ve enabled ACLs on Organization, and defined AclPrivilege to connect users to organizations.

The problem is that I have a user who’s assigned to 2 Organization but can see 3 more (5 in total).

I checked the acl entries and he appears only on the 2 Organization he’s supposed to see for the rest I tried to check if the groups/roles he’s member appear in the acl entries but it’s not the case!

Is there something else I can check that could explain this?


#2

What roles does the user have? Its possible that the the user could have one or more action conditions that override ACLs. Are there ACL entries for the 3 organizations that the user cannot see? Does this user below to the the groups associated with the entries?


#3

It was the actionConditions that I did not update! Thanks a lot.