Well, I got asked to evaulate Liferay for use at our company. It has a serious – deal killer – major serious security flaw. It doesn’t handle searches properly and even though you can’t access an item you don’t have rights to, you can still see it. Why is that a problem you ask? Imagine that you have Joe Schmoe in the mail room searching for a document, and he comes across one of the following:
- June Layoff Plan
- CEO Raise Justification
- Termination Papework for Sally Sue
I’m sure that you can see where this a HUGE issue for anyone who has a business need to keep private information private. Having an employee panic (over layoffs) or an uprising (over the CEO raise when they didn’t get one) is probably not a desirable circumstance for any company. Having someone’s FMLA or Termination paper work visible is grounds for a law suit. It’s just simply not acceptable.
The issue stems from the fact that the search runs and returns results based on the “God” rights of the portal itself. It doesn’t check for access until you try to click to open the document. Instead of filtering the results at some point PRIOR to displaying them, it just spews them all out. Very lazy and sloppy coding. There is no other excuse or explanation for such a grevious breach of what a portal is supposed to do.
Sadly, the document management search isn’t the only thing that functions in this manner. Several of the other “default” portlets do as well. The most notable is the calendar portlet. Events which should be limited in “scope” are visible to any authenticated user. In case you can’t see why a calenar is a problem, consider this…
- Plant Closure Meeting
- Outsourcing Customer Service
- Suzy Q meeting with HR to discuss Sexual Harassment by Shipping Supervisor
Another thing that you might wish to be aware of is that the Administrator interface also does this. You can log in as an “Ominiadministrator” to administer the portal instance, but even administrators of virtual hosts on other sites on the same liferay instance can view and search users and user groups. You could potentially have a situation where you have competitors who are hosted by the same company on the same server and they would be able to seach each other’s users.
It’s such a complete and total violation of any idea of a normal security model that it completely makes me wonder what other totally and completely retarded BS that they coded into it.