Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-104516

HEAD request on "remove widget from page" unconditionally removes it from page

    Details

      Description

      I want to bet that I didn't pick the proper component - but it's the best I could find. Please correct if necessary.

      Walking the links on a page with a HEAD request will happily remove all portlets from the page through triggering the "remove portlet from page" link. This was discovered when implementing a link-walker that checks validity of links (e.g. do they generate 404?) from the context of the current user.

      Steps to reproduce:

      • Log in with administrative permissions (at least for the page)
      • Add the following code to your page - e.g. through your page setup, or through a portlet:
        function urlExists(element, callback) {
            var xhr = new XMLHttpRequest();
            xhr.onreadystatechange = function() {
                if (xhr.readyState === 4) {
                    callback(xhr.status < 400);
                }
            };
            xhr.open('HEAD', element.attr("href"));
            xhr.send();
        }
        $(function() {
            $( "a" ).each(function( index ) {
                var element = $(this);
                urlExists(element, function(exists) {
                    console.log('"%s" exists?', element.attr("href"), exists);
                });
            });
        });
        
      • (observe the console about the links walked)
      • (observe network traffic on the URLs triggered)
      • Reload the page and observe that all portlets have been removed from the page.

      A GET or HEAD request never should trigger such a destructive action IMHO. While this is in the context of the currently logged in user, it's not been unheard of that browser plugins walk through various contained links on the page.

      It vaguely reminds me of the old story when the google crawler repeatedly deleted a full website over night, because it crawled publicly available destructive operations with GET. Here the links (and permissions) are at least not available publicly, but I've been astonished to suddenly realize that my content went missing silently.

      (thanks Jan Verweij for the idea to walk links with JS. A quick fix for the script is to walk $(".portlet-body a") instead of $("a"), but this ticket is not about fixing this script, it's about the platform's behavior)

        Attachments

          Activity

            People

            • Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              olaf.kock Olaf Kock
              Participants of an Issue:
              Recent user:
              Olaf Kock
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Days since last comment:
                4 weeks, 5 days ago

                Packages

                Version Package