Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-154678

headless API could be using the wrong Service to create portlet attachments


    • Bug
    • Status: Verified
    • Resolution: Unresolved
    • 7.2.X, 7.3.X, Master
    • None
    • None
    • 3
    • Security


      In a code analysis (for a different issue) I saw that BlogPostingImageResourceImpl is using DLApp instead of PortletFileRepository service (as we do in BlogsEntryLocalServiceImpl).

      After a deeper analysis we've seen that this is not critical (because in blogs we doesn't force check the parent entity permissions), but is convenient to use the right Service.

      I've also check more headless use cases related with Attachments and I've found a case that could be a security risk:

      StructuredContentResourceImpl uses DLApp on JournalArticleContent creation, and in some cases it could be wrong:

      If you check com.liferay.journal.service.impl.JournalArticleLocalServiceImpl#_addArticleAttachmentFileEntry you'll see that in this method we are using:


      In this case this is dangerous because in the service we pass the className and the classPK of the article and we are checking its permissions when rendering the image, but if we create this field using DLApp this fields are empty.

      If it happens we could find that users without view permission for the article could see the attachment, and this is a security risk.





            support-lep@liferay.com SE Support
            roberto.diaz Roberto Díaz
            Kiyoshi Lee Kiyoshi Lee
            0 Vote for this issue
            0 Start watching this issue


              17 weeks, 3 days ago


                Version Package