Journal portlet (15) security question

Foros de discusión

Julian Gonzalez, modificado hace 7 años.

Journal portlet (15) security question

New Member Mensajes: 3 Fecha de incorporación: 20/01/16 Mensajes recientes

I have a Liferay 6.2-CE-GA6 site that is being flagged for a security vulnerability due to the following URL (liferay.com seems to have the same issue)

https://www.liferay.com/web/guest/home?p_p_id=15&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0

This URL allows a non logged-in user (guest) to access the journal portlet (webcontent) view without being logged in.

I was looking through previous discussions on these topics but they all applied to older versions of liferay. I also tried using the "portlet.add.default.resource.check.enabled" setting but it does not seem to prevent access to guests for the Journal.

Is there a setting somewhere I missed in the control panel? Or another property setting?

Thanks.

Tomas Polesovsky, modificado hace 7 años.

RE: Journal portlet (15) security question

Liferay Master Mensajes: 676 Fecha de incorporación: 13/02/09 Mensajes recientes

Hi Julian,

thank you for heads up.

Please have you tried to remove "embedded" portlets from the page? You can find it in the page edit screen, there should be a table with all portlets that are/was "embedded". If you clear this table, it should fix your issue. I guess you inherited it from the upgrade?

Thanks. Please let me know if it helped!

Best

-- tom

Julian Gonzalez, modificado hace 7 años.

RE: Journal portlet (15) security question

New Member Mensajes: 3 Fecha de incorporación: 20/01/16 Mensajes recientes

Hello Tomas,

Can you specify which "page edit" screen you're referring to? The gear icon on the top right (configuration) of the web-content screen only has settings for pagination, email and web review.

This was a clean install of 6.2-CE(Tomcat)