Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-43419

When BaseAlloyControllerImpl rejects a request based on permissions, it doesn't prevent the controller from executing



      BaseAlloyControllerImpl by default checks permissions when requests come in, to make sure the current user has permission to perform the given action on the given resource. However, if it rejects the action, it allows the controller code to execute before eventually redirecting the page to the error jsp. This is problematic. If the action were to involve sending information somewhere, or deleting or saving something, rather than just displaying information, that action would not be prevented.

      This isn't super easy to reproduce, but it essentially looks like this:
      1. Deploy an Alloy Portlet that has permissioning implemented.
      2. Add a System.out.println in some controller action.
      3. Log in as a user that does not have access to the action where you added the System.out.println line.
      4. Attempt to perform the restricted action.

      Expected: The System.out.println line should not print to the console.
      Observed: The System.out.println line prints to the console.


        1. ams-6.1.x.gif
          12.07 MB
          Serena Song
        2. ams-ee-6.2.x.gif
          14.54 MB
          Serena Song
        3. fix.jpg
          16 kB
          Lu Liu

          Issue Links



              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created:
                  Days since last comment:
                  5 years, 33 weeks, 1 day ago


                  Version Package
                  6.1.X EE
                  6.2.X EE