WebSphere Portal

WebSphere Portal Bug: Anonymous Users Are Able To Access File in File Component Despite Component in Draft Status

Leave a comment 
We have raised a PMR with IBM (#72198,000,834) and IBM has confirmed that it is working as designed since author has assigned anonymous access at Draft stage. Furthermore, below example shows that we are accessing the file directly through Connect servlet instead of rendering through Web Content Viewer portlet (or Menu Component).

To sum up IBM reply:
1) Render through Web Content Viewer Portlet/Menu Component = Draft Content/Component will not be accessible by anonymous users (despite access rights have been granted to them)
2) Render through Connect Servlet = Anonymous users are able to access (because access rights are granted to them)

Our Take:
As developers, we understand IBM rationale. But we felt that in an ideal situation (and to make things easier for users to understand), anonymous users shouldn't be able to access a DRAFT content/component even if access rights are granted to them (regardless if they are hitting Connect servlet directly). 

UX teaches us that we shouldn't rely on the users to do the "right" things by linking it through rich-text editor. Definitely there will be lazy users who would copy the file link and link it up as content.

Conclusion: Tighten up Connect servlet security by preventing anonymous users able to access Draft content/component directly (regardless if access rights are given to them).

IBM allows administrators to enforce workflow for Library’s resources by adding “com.<resource type>=com.aptrix.pluto.workflow.WorkflowControl” in WCM WCMConfigServices custom properties. But the team has discovered that anonymous users are able to access the file in the file component despite the fact that the component is in Draft stage.

 

IMPORTANT, before you proceed, please ensure that your library is properly configured:

  • Login to Portal Administration page (http://<hostname>/myportal/Administration).
  • Go to Portal Content > Web Content Libraries.
  • Click on “Set Permission” icon for the library where you going to save your component in.
  • Ensure that “Allow Propagation” and “Allow Inheritance” are checked and click on “Edit Role” icon.
  • Ensure that “Anonymous Portal User” is added in the library’s User Role.

 

How to replicate the issue:

  • Go to Web Content Authoring Portlet (http://<hostname>/myportal/Applications/Content/Authoring).
  • Add a new file component (New > Component > File).
  • Key in the component’s Name, Display Title and upload a random file.
  • Click on “Add Workflow” button if you didn’t enforce the workflow in WAS.
  • Click on “Properties” tab and  add a workflow.
  • Click on the “Save” button to save the changes.
  • At this moment, your file component is in Draft status.
  • Click on the “Properties” tab again and ensure that “[anonymous portal user]” is been inherited in the Access section.
  • Copy the file’s url in the File Component.
  • Paste the url in a new browser (or in private / incognito mode) and remember to remove “my” from “myconnect” as using “myconnect” would prompt you to log in.
  • Press enter and you are able to download the file despite the file component is in Draft mode.

Leave a Reply

Your email address will not be published. Required fields are marked *