Journal portlet (15) security question

Foren

Julian Gonzalez, geändert vor 7 Jahren.

Journal portlet (15) security question

New Member Beiträge: 3 Beitrittsdatum: 20.01.16 Neueste Beiträge

I have a Liferay 6.2-CE-GA6 site that is being flagged for a security vulnerability due to the following URL (liferay.com seems to have the same issue)

https://www.liferay.com/web/guest/home?p_p_id=15&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0

This URL allows a non logged-in user (guest) to access the journal portlet (webcontent) view without being logged in.

I was looking through previous discussions on these topics but they all applied to older versions of liferay. I also tried using the "portlet.add.default.resource.check.enabled" setting but it does not seem to prevent access to guests for the Journal.

Is there a setting somewhere I missed in the control panel? Or another property setting?

Thanks.

Tomas Polesovsky, geändert vor 7 Jahren.

RE: Journal portlet (15) security question

Liferay Master Beiträge: 676 Beitrittsdatum: 13.02.09 Neueste Beiträge

Hi Julian,

thank you for heads up.

Please have you tried to remove "embedded" portlets from the page? You can find it in the page edit screen, there should be a table with all portlets that are/was "embedded". If you clear this table, it should fix your issue. I guess you inherited it from the upgrade?

Thanks. Please let me know if it helped!

Best

-- tom

Julian Gonzalez, geändert vor 7 Jahren.

RE: Journal portlet (15) security question

New Member Beiträge: 3 Beitrittsdatum: 20.01.16 Neueste Beiträge

Hello Tomas,

Can you specify which "page edit" screen you're referring to? The gear icon on the top right (configuration) of the web-content screen only has settings for pagination, email and web review.

This was a clean install of 6.2-CE(Tomcat)