Permission Restriction on MyAccountPortlet

Issue

  • We tried to restrict access to MyAccountPortlet for various users in order to prevent them from amending their own data.
  • We found that despite removing the permissions for User and Owner roles on com_liferay_my_account_web_portlet_MyAccountPortlet, they are still able to view and edit their data via the Sign In portlet:

    • With the use of the "Sign In" portlet, a user is able to access their Account Settings page. After they authenticate (log in) the text normally says:

      You are signed in as Test Test.

    • And clicking the link takes them to their Account Settings despite seemingly not having the permission to do so.

  • How do we restrict access to this portlet?

Environment

  • Liferay DXP 7.3

Resolution

  • The observed behaviour is by design.
  • Every authenticated user is able to View and Configure their own data. (Only their own data! We ensure this with the condition (permissionChecker.getUserId() == userId) in UserPermissionImpl.) This behaviour is considered expected. See source: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/service/permission/UserPermissionImpl.java#L121
  • Revoking the Access in Personal Menu permission ensures we don't make the pages visible in the user personal menu, but the right that everyone can View and Configure their own data remains. (Of course, owning the link to Account Settings page is required.)
  • To sum up, the behaviour is intentional and changing it would break other features. We can suggest the following workarounds to avoid exposing the Account Settings page via Sign In widget:
    • Remove the Sign In widget from the page. The Account Settings page is not accessible via a made-up URL, because it requires a portlet authentication token (p_p_auth) to be present in the URL to render. For URLs generated by the portal the authentication token is automatically added to the URL.
    • Customize the Sign in widget via fragment module to remove the link. If the Sign In widget must be part of the page due to design considerations or other reason, then it should be customized to stop linking to Account Settings page. See source: https://github.com/liferay/liferay-portal/blob/master/modules/apps/login/login-web/src/main/resources/META-INF/resources/login.jsp#L28
这篇文章有帮助吗?
1 人中有 0 人觉得有帮助