Hello.

In default portal 6.2 installation - portlet Asset Publisher (and other portlets also) have permission Add to page for Guest role.

This means that on any page of Liferay you are able to open that portlet through URL suffix: ?p_p_id=101&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view

for example www.liferay.com has this (maybe) vulnerability: https://www.liferay.com/?p_p_id=101&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view

Asset publisher will show few articles - but owner of the portal wants to show only public documents! Not random (maybe obsolete) stuff or stuff with sensitive information. Why should think in other way? User assumes that portal shows only data published through web content display, configured asset publishers and so on... What if user just created content through administration and thinks everything is OK because he did not published this content - but this content will be available after link showed above...

Worse is that I have disabled permission Add to page for portlet Asset Publisher. This works fine on pages where asset publisher is not deployed... !!!BUT!!! on the page where asset publisher is deployed - after clicking at link above asset publisher will be shown in maximized mode without keeping his configuration at page!

For example you have configured asset publisher to show only web content with assigned some tag or category or structure. URL suffix: ?p_p_id=101&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view ignores this setting and shows all content!

Sorry for longer description, but please help - Am I missing something or there is no native defense against this vulnerability? Thanks a lot!