All portlets in a community is viewable regardless of permission

By constructing the right URL, all portlets in a community is viewable regardless of permission. To address this issue, the following property has been added to portal(-ext).properties:

#

1. Portlets that have configured liferay-portlet.xml with the element
2. "add-default-resource" set to true will allow those portlets to be
3. dynamically added to any page by any user. This is useful
4. (and necessary) for some portlets that need to be dynamically added to a
5. page, but it can also pose a security risk because it also allows any user
6. to do it.
   #
7. Set this property to true to add a security check around this behavior.
8. If set to true, then portlets can only be dynamically added to a page if
9. it contains a proper security token. This security token is automatically
10. passed when using a portlet URL from one portlet to another portlet.
    #
11. Modify the property "portlet.add.default.resource.check.whitelist" to
12. whitelist certain portlets from this security check.
    #
13. The security check utilizes the implementation set in the property
14. "auth.token.impl".
15. 
    portlet.add.default.resource.check.enabled=true

#

1. Set a list of comma delimited list of portlet ids that will bypass the
2. security check set in the property
3. "portlet.add.default.resource.check.enabled".
   #
   portlet.add.default.resource.check.whitelist=58,86,103,113,145

UPGRADE NOTE:

This update may cause some portlets which sets "add-default-resource" in liferay-portlet.xml to true to no longer work. To revert to the old behavior, set the following in portal(-ext).properties:

portlet.add.default.resource.check.enabled=false