Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-119579

Site members see Publications in the Application menu despite not having permissions to view it

    Details

      Description

      Steps to reproduce:

      1. Create a new user
      2. Assign new user to Liferay site (under memberships)
      3. Login as that new member

      Expected Result: User cannot see Publications under the Application menu

      Actual Result: User can see Publications under the Application menu. Clicking it causes the portlet to fail to load and the following error message appears.

        2020-08-21 16:51:05.670 ERROR [http-nio-8080-exec-7][render_portlet_jsp:131] null
      com.liferay.portal.kernel.security.auth.PrincipalException: User 38122 must have administrator role to access ChangeListsConfigurationPortlet
      	at com.liferay.change.tracking.web.internal.portlet.ChangeListsConfigurationPortlet.checkPermissions(ChangeListsConfigurationPortlet.java:125)
      	at com.liferay.change.tracking.web.internal.portlet.ChangeListsConfigurationPortlet.checkRender(ChangeListsConfigurationPortlet.java:134)
      	at com.liferay.change.tracking.web.internal.portlet.ChangeListsConfigurationPortlet.render(ChangeListsConfigurationPortlet.java:76)
      	at com.liferay.portlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:127)
      	at com.liferay.portlet.ScriptDataPortletFilter.doFilter(ScriptDataPortletFilter.java:58)
      	at com.liferay.portlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:124)
      	at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:71)
      	at com.liferay.portal.kernel.servlet.PortletServlet.service(PortletServlet.java:115)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.eclipse.equinox.http.servlet.internal.registration.EndpointRegistration.service(EndpointRegistration.java:153)
      	at org.eclipse.equinox.http.servlet.internal.servlet.ResponseStateHandler.processRequest(ResponseStateHandler.java:62)
      	at org.eclipse.equinox.http.servlet.internal.context.DispatchTargets.doDispatch(DispatchTargets.java:120)
      	at org.eclipse.equinox.http.servlet.internal.servlet.RequestDispatcherAdaptor.include(RequestDispatcherAdaptor.java:48)
      	at com.liferay.portlet.internal.InvokerPortletImpl.invoke(InvokerPortletImpl.java:571)
      	at com.liferay.portlet.internal.InvokerPortletImpl.invokeRender(InvokerPortletImpl.java:661)
      	at com.liferay.portlet.internal.InvokerPortletImpl.render(InvokerPortletImpl.java:344)
      	at com.liferay.portal.monitoring.internal.portlet.MonitoringInvokerPortlet.lambda$render$0(MonitoringInvokerPortlet.java:259)
      	at com.liferay.portal.monitoring.internal.portlet.MonitoringInvokerPortlet._render(MonitoringInvokerPortlet.java:363)
      	at com.liferay.portal.monitoring.internal.portlet.MonitoringInvokerPortlet.render(MonitoringInvokerPortlet.java:257)
      	at org.apache.jsp.html.portal.render_005fportlet_jsp._jspService(render_005fportlet_jsp.java:1489)

      Tested on:
      Tomcat 9.0.33 + MySQL 5.7
      Portal master SHA: 73e2868650fbe778fbf120c0e895172196ec2e50

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              brian.lee Brian Lee
              Reporter:
              brian.lee Brian Lee
              Participants of an Issue:
              Recent user:
              Jason Pince
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                8 weeks, 3 days ago

                  Packages

                  Version Package
                  7.3.5 CE GA6
                  7.3.10 DXP GA1
                  Master