Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-133074

Freemarker error: "Denied access to model object as it does not belong to current company"



      Reproduction Steps on master:

      1. Startup Liferay
      2. Navigate to Site (Liferay) > Content & Data > Documents and Media
      Add a document using File Upload with the title: test
      3. Navigate to Site (Liferay) > Design > Widget Templates
      Add an Asset Publisher Template: testTemplate with the following content:

      Widget templates can be used to modify the look of a
      specific application.
      Please use the left panel to quickly add commonly used variables.
      Autocomplete is also available and can be invoked by typing "${".
          dlFileEntryService = serviceLocator.findService("com.liferay.document.library.kernel.service.DLFileEntryService")
          groupId = themeDisplay.getScopeGroupId()
          folderId = 0
          title = "test"
          fileEntry = dlFileEntryService.getFileEntry(groupId, folderId, title)!""
          fileEntryType = fileEntry.getDLFileEntryType()

      4. Navigate to Control Panel > System Settings > Template Engines
      Look for serviceLocator
      Click on the minus button to remove it
      Click Save/Update
      5. Navigate to the home page and add an Asset Publisher, with:
      Add our created test document ( [+] > Content > test )
      6. Configure the added Asset Publisher widget
      Change Display Settings from Default to our created testTemplate
      Click Save
      7. Refresh the home page and check if denied access error occurs


      Reproduction Steps on 7.3.x:

      1. Start Liferay DXP 7.3.x
      2. Go to Control Panel→System Settings→Template Engines
      3. Look for serviceLocator→click on the minus button to remove it→Update
      4. Return to the site
      5. Create a structure with DocumentList.jsonas source and TestStructure as the title
      6. Create a template with DocumentList_mod.ftl
      7. Go to Documents and Media→Document Types→+ sign
      8. Title: TestDocumentType
      9. Add a Documents & Media field→Save
      10. Add a new TestDocumentType→title: TestDDM
      11. Click on Select→upload an image (test.jpg)→Save
      12. Create a web content with TestStructure
      13. Set TestDDM for the Documents field→Publish
      14. Create a widget page TestWidgetPage
      15. Click on the + sign to add portlets
      16. Click on the Content tab
      17. Search for TestWebContent and place it onto the page
      18. Checkpoint: a link is visible: Documents
      19. Open TestWebContent again
      20. Change the Documents field to test.jpg→Publish
      21. Visit TestWidgetPage again

      Expected Behavior
      we can see the link to the image, just like in the checkpoint step.

      Actual Behavior
      error in server logs and in the web content display:

      Errors received:

      An error occurred while processing the template.
      Denied access to model object as it does not belong to current company 20097
      FTL stack trace ("~" means nesting-related):
              - Failed at: #local fileEntryType = fileEntry.getD...  [in template "20097#20123#40609" in macro "renderDocumentListContent" at line 33, column 17]
              - Reached through: @renderDocumentListContent text, docu...  [in template "20097#20123#40609" at line 106, column 9]


      The current code blocks access to all objects that don't belong to the current company (e.g. 20116 or something like that). That change was introduced this year and improves the security, it is not possible to access objects belonging to other companies anymore - which is correct.

      But it has a hole, there are some objects, like the documenttype BASIC_DOCUMENT, that have a companyId of 0. So, if you want to handle files differently in freemarker based on the document type, you run into an "Access denied" error. And that's simply not correct. BASIC_DOCUMENT should be accessible.
      A possible fix would check for that too and would allow objects with companyId == 0 too.


        Issue Links



              support-lep@liferay.com SE Support
              peter.petrekanics Peter Petrekanics (Inactive)
              Brian Wulbern Brian Wulbern
              Roberto Díaz Roberto Díaz
              0 Vote for this issue
              2 Start watching this issue


                18 weeks, 4 days ago


                  Version Package