Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-43419

When BaseAlloyControllerImpl rejects a request based on permissions, it doesn't prevent the controller from executing

    Details

      Description

      BaseAlloyControllerImpl by default checks permissions when requests come in, to make sure the current user has permission to perform the given action on the given resource. However, if it rejects the action, it allows the controller code to execute before eventually redirecting the page to the error jsp. This is problematic. If the action were to involve sending information somewhere, or deleting or saving something, rather than just displaying information, that action would not be prevented.

      This isn't super easy to reproduce, but it essentially looks like this:
      1. Deploy an Alloy Portlet that has permissioning implemented.
      2. Add a System.out.println in some controller action.
      3. Log in as a user that does not have access to the action where you added the System.out.println line.
      4. Attempt to perform the restricted action.

      Expected: The System.out.println line should not print to the console.
      Observed: The System.out.println line prints to the console.

        Attachments

        1. ams-6.1.x.gif
          ams-6.1.x.gif
          12.07 MB
        2. ams-ee-6.2.x.gif
          ams-ee-6.2.x.gif
          14.54 MB
        3. fix.jpg
          fix.jpg
          16 kB

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  5 years, 2 weeks, 5 days ago

                  Packages

                  Version Package
                  6.1.X EE
                  6.2.X EE