Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-2406

All portlets in a community is viewable regardless of permission

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.2 EE SP3 (5.2.7)
    • Fix Version/s: 5.2 EE SP4 (5.2.8)
    • Component/s: Application Security
    • Labels:
      None
    • Environment:
      All

      Description

      By constructing the right URL, all portlets in a community is viewable regardless of permission. To address this issue, the following property has been added to portal(-ext).properties:

      #

      1. Portlets that have configured liferay-portlet.xml with the element
      2. "add-default-resource" set to true will allow those portlets to be
      3. dynamically added to any page by any user. This is useful
      4. (and necessary) for some portlets that need to be dynamically added to a
      5. page, but it can also pose a security risk because it also allows any user
      6. to do it.
        #
      7. Set this property to true to add a security check around this behavior.
      8. If set to true, then portlets can only be dynamically added to a page if
      9. it contains a proper security token. This security token is automatically
      10. passed when using a portlet URL from one portlet to another portlet.
        #
      11. Modify the property "portlet.add.default.resource.check.whitelist" to
      12. whitelist certain portlets from this security check.
        #
      13. The security check utilizes the implementation set in the property
      14. "auth.token.impl".

      15. portlet.add.default.resource.check.enabled=true

      #

      1. Set a list of comma delimited list of portlet ids that will bypass the
      2. security check set in the property
      3. "portlet.add.default.resource.check.enabled".
        #
        portlet.add.default.resource.check.whitelist=58,86,103,113,145

      UPGRADE NOTE:

      This update may cause some portlets which sets "add-default-resource" in liferay-portlet.xml to true to no longer work. To revert to the old behavior, set the following in portal(-ext).properties:

      portlet.add.default.resource.check.enabled=false

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mark.jin Mark Jin (Inactive)
              Reporter:
              brian.chan Brian Chan
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package
                  5.2 EE SP4 (5.2.8)