Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-75184

If a portlet is white-listed or the default resource check is disabled, portlet is still not viewable


    • Type: Bug
    • Status: Closed
    • Resolution: Won't Fix
    • Affects Version/s: 6.2.X EE, 7.0.X, Master
    • Fix Version/s: None
    • Component/s: Application Security
    • Labels:


      As an unauthenticated user, when attempting to access a portlet without the property "com.liferay.portlet.add-default-resource" set to true but with the portlet either white-listed or when the default resource check is disabled, the portlet will still not be viewable.

      This is because in DefaultLayoutTypeAccessPolicyImpl.java, we are checking if the portlet's property "com.liferay.portlet.add-default-resource" first, and returning false if it is false.  We should be checking if the default resource check is even enabled first, then see if it's white-listed. 

      Steps to reproduce:

      1. Deploy the "com.liferay.login.web.jar" which has the the property "com.liferay.portlet.add-default-resource" set to false.  Or you can create your own plugin
      2. Either add the portletId to the property "portlet.add.default.resource.check.whitelist" (should avoid checking resource for those specific portlets) or set the property "portlet.add.default.resource.check.enabled" to false (avoids the resource check for all portlets).
      3. Attempt to access the portlet as an unauthenticated user

      Expected: Portlet is viewable, either because we do not check resources for that specific portlet or for all portlets depending on the action taken in step 2

      Actual: Portlet is not viewable and user is presented with "You do not have the roles required to access this portlet." message.


      Reproduced in master: ba5c71fa068230d38f8cfa50d8f42ae419d4c01d

      Reproducible in 70x: 74ab4de91d585c3e80a472c5c061203e6e77897c

      Reproducible in 62x: 6d21d18c002b7574c595079d364784693cf2ab26




            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created:
                Days since last comment:
                2 years, 18 weeks, 2 days ago


                Version Package