Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-16394

AssetTagPropertyService has no security checks

    Details

      Description

      the AssetTagPropertyService currently has no security checks implemented. This means that :

      • any logged in user can add asset tag properties to tags
      • any guest can delete any asset tag property

      To reproduce :

      1. Go to tags in the control panel, add the tag mytag, then add a property myprop with value myval
      2. in an sql client execute

      SELECT tagPropertyId FROM AssetTagProperty WHERE value= 'myval';

      3. As a guest open the following url in the browser

      http://localhost:8080/c/portal/json_service?serviceClassName=com.liferay.portlet.asset.service.AssetTagPropertyServiceUtil&serviceMethodName=deleteTagProperty&serviceParameters=[%22tagPropertyId%22]&tagPropertyId=ID_YOU_FOUND_IN_STEP_2

      You will now see that the property has been removed

      You should not be able to do this as a guest

        Attachments

          Activity

            People

            Assignee:
            kristoffer.onias Kristoffer Onias
            Reporter:
            jelmer Jelmer Kuperus (Inactive)
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              9 years, 26 weeks ago

                Packages

                Version Package
                --Sprint 12/11
                6.1.0 CE RC1