Affects Version/s: 6.1.30 EE GA3, 6.1.X EE, 6.2.X EE
BaseAlloyControllerImpl by default checks permissions when requests come in, to make sure the current user has permission to perform the given action on the given resource. However, if it rejects the action, it allows the controller code to execute before eventually redirecting the page to the error jsp. This is problematic. If the action were to involve sending information somewhere, or deleting or saving something, rather than just displaying information, that action would not be prevented.
This isn't super easy to reproduce, but it essentially looks like this:
1. Deploy an Alloy Portlet that has permissioning implemented.
2. Add a System.out.println in some controller action.
3. Log in as a user that does not have access to the action where you added the System.out.println line.
4. Attempt to perform the restricted action.
Expected: The System.out.println line should not print to the console.
Observed: The System.out.println line prints to the console.