Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-34848

Portlet permissions not correctly applied in customizable zone



      Users (site members) can see portlets added by an administrator in the customizable zones even if all the "View" permissions have been unchecked/removed by the administrator.

      Steps to reproduce:

      1. Create a new user e.g "Test01"
        Assign it to the default "Liferay" site
      2. Go back to the "Welcome" page
        a) Click on the dockbar -> Manage -> Page
        b) Go to the customization settings at the right side of the page
        c) Check the customizable checkbox for "column-1"
        d) Save it
      3. Click to the view default page option in the dockbar
      4. Place the Translator portlet below to the "Hello world" portlet (to the non-customizable zone)
        a) Configure it to only the owner has all of the permission for this portlet and the rest of the checkbox should be unchecked
        b) Save it
      5. Login in a different browser with "Test01"
        a) Click to the view default page option in the dockbar
        • "Test1" is not able to see the content of the Translator portlet and see warning message: "You do not have the roles required to access this portlet. " - It's OK
          b) If you go the user's customized page and click on the "Reset My Customization" option it works correctly.
        • So far so good.
      6. Switch back to the admin session
      7. Move the "Translator" portlet below to the "Sign in" portlet (to the customizable zone)
        a) Make sure that the permissions isn't changed!
      8. Go back to the "Test01" session
      9. Refresh the page and now you can see that the portlet has been moved and you still don't have permission to view it
      10. Click on the "View My Customized Page" option in the dockbar with "Test01"
      11. Click on the "Reset My Customization" option
      12. Now you are able to see the "Translator" portlet's content despite you don't have view permission for it! - It's not OK!
        Furthermore, if you remove the "Translator" portlet from the customized page with "Test01" and go back to the admin session and check the permissions, you can see that the permissions for # Guest and Site Members has been restored, which might cause this issue.


        Issue Links



              tammy.fong Tammy Fong (Inactive)
              norbert.kocsis Norbert Kocsis (Inactive)
              Rafaela Nascimento Rafaela Nascimento
              1 Vote for this issue
              5 Start watching this issue


                8 years, 49 weeks ago


                  Version Package
                  6.1.X EE
                  6.2.0 CE M6