Resolution: Won't Fix
Affects Version/s: 6.2.X EE, 7.0.X, Master
Fix Version/s: None
Component/s: Application Security
As an unauthenticated user, when attempting to access a portlet without the property "com.liferay.portlet.add-default-resource" set to true but with the portlet either white-listed or when the default resource check is disabled, the portlet will still not be viewable.
This is because in DefaultLayoutTypeAccessPolicyImpl.java, we are checking if the portlet's property "com.liferay.portlet.add-default-resource" first, and returning false if it is false. We should be checking if the default resource check is even enabled first, then see if it's white-listed.
Steps to reproduce:
- Deploy the "com.liferay.login.web.jar" which has the the property "com.liferay.portlet.add-default-resource" set to false. Or you can create your own plugin
- Either add the portletId to the property "portlet.add.default.resource.check.whitelist" (should avoid checking resource for those specific portlets) or set the property "portlet.add.default.resource.check.enabled" to false (avoids the resource check for all portlets).
- Attempt to access the portlet as an unauthenticated user
Expected: Portlet is viewable, either because we do not check resources for that specific portlet or for all portlets depending on the action taken in step 2
Actual: Portlet is not viewable and user is presented with "You do not have the roles required to access this portlet." message.
Reproduced in master: ba5c71fa068230d38f8cfa50d8f42ae419d4c01d
Reproducible in 70x: 74ab4de91d585c3e80a472c5c061203e6e77897c
Reproducible in 62x: 6d21d18c002b7574c595079d364784693cf2ab26