Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-69252

Asset Publisher scope configuration throws a PrincipalException because sites are viewable and selectable for users which are not administrators

    Details

      Description

      1. Add two regular organizations org1 and org2. Check "create site" for both.
      2. Create user A, assign both orgs to him. Also assign him organization role Organization Administrator for org1.
      3. Add a public page to org1 site.
      3. Log in with A and go to that page, place an asset publisher on it.
      4. Open configuration for the asset publisher and in the Scope section click Select/Other Site. Choose org2.
      Result: On the UI "Portlet Configuration is temporarily unavailable." and in the logs:

      13:26:25,867 ERROR [http-bio-8080-exec-5][render_portlet_jsp:132] null
      com.liferay.portal.security.auth.PrincipalException
      	at com.liferay.portlet.assetpublisher.action.ConfigurationActionImpl.checkPermission(ConfigurationActionImpl.java:294)
      	at com.liferay.portlet.assetpublisher.action.ConfigurationActionImpl.addScope(ConfigurationActionImpl.java:273)
      	at com.liferay.portlet.assetpublisher.action.ConfigurationActionImpl.processAction(ConfigurationActionImpl.java:134)
      	at com.liferay.portlet.portletconfiguration.action.EditConfigurationAction.processAction(EditConfigurationAction.java:76)
      	at com.liferay.portal.struts.PortletRequestProcessor.process(PortletRequestProcessor.java:166)
      	at com.liferay.portlet.StrutsPortlet.processAction(StrutsPortlet.java:218)
      	at com.liferay.portlet.FilterChainImpl.doFilter(FilterChainImpl.java:71)
      	at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:48)
      	at com.liferay.portlet.InvokerPortletImpl.invoke(InvokerPortletImpl.java:597)
      	at com.liferay.portlet.InvokerPortletImpl.invokeAction(InvokerPortletImpl.java:628)
      	at com.liferay.portlet.InvokerPortletImpl.processAction(InvokerPortletImpl.java:308)
      	at com.liferay.portlet.PortletContainerImpl._doProcessAction(PortletContainerImpl.java:389)
      	at com.liferay.portlet.PortletContainerImpl.processAction(PortletContainerImpl.java:107)
      	at com.liferay.portlet.SecurityPortletContainerWrapper.processAction(SecurityPortletContainerWrapper.java:109)
      	at com.liferay.portlet.RestrictPortletContainerWrapper.processAction(RestrictPortletContainerWrapper.java:75)
      	at com.liferay.portal.kernel.portlet.PortletContainerUtil.processAction(PortletContainerUtil.java:115)
      	at com.liferay.portal.action.LayoutAction.processLayout(LayoutAction.java:386)
      	at com.liferay.portal.action.LayoutAction.doExecute(LayoutAction.java:200)
      	at com.liferay.portal.action.LayoutAction.execute(LayoutAction.java:95)
      	at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
      

      I could also reproduce the same if using directly sites, without organizations.

      As a user you are able to select sites from asset publisher even if you are not an administrator. This will result in a PrincipalException.
      According to the product documentation about Content Sharing you have to be an admin to select content to be displayed from other sites (and you should only view the sites that you administer).
      So the sites should not be even listed and available to choose if the user is not an administrator of it.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                raven.song Raven Song
                Reporter:
                rimi.saadou Rimi Saadou (Inactive)
                Participants of an Issue:
                Recent user:
                Jason Pince
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  2 years, 19 weeks, 5 days ago