Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-43419

When BaseAlloyControllerImpl rejects a request based on permissions, it doesn't prevent the controller from executing

    Details

      Description

      BaseAlloyControllerImpl by default checks permissions when requests come in, to make sure the current user has permission to perform the given action on the given resource. However, if it rejects the action, it allows the controller code to execute before eventually redirecting the page to the error jsp. This is problematic. If the action were to involve sending information somewhere, or deleting or saving something, rather than just displaying information, that action would not be prevented.

      This isn't super easy to reproduce, but it essentially looks like this:
      1. Deploy an Alloy Portlet that has permissioning implemented.
      2. Add a System.out.println in some controller action.
      3. Log in as a user that does not have access to the action where you added the System.out.println line.
      4. Attempt to perform the restricted action.

      Expected: The System.out.println line should not print to the console.
      Observed: The System.out.println line prints to the console.

        Attachments

        1. ams-6.1.x.gif
          ams-6.1.x.gif
          12.07 MB
        2. ams-ee-6.2.x.gif
          ams-ee-6.2.x.gif
          14.54 MB
        3. fix.jpg
          fix.jpg
          16 kB

          Issue Links

            Activity

              People

              Assignee:
              lu.liu Lu Liu
              Reporter:
              ethan.bustad Ethan Bustad
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                6 years, 22 weeks, 1 day ago

                  Packages

                  Version Package
                  6.1.X EE
                  6.2.X EE