Assigning Permissions to Web Content Structures and Templates
Web content structures and templates provide direct access to Liferay’s API. To avoid unauthorized or unintended access to Liferay DXP functionality, you should configure permissions for web content structures and templates.
As a best practice, define two different roles with access to web content structures and templates:
-
Content Developer: Users with this role have permission to create and edit web content structures or templates.
-
Content Creator: Users with this role have permission to view web content structures or templates, so they can use them to create content.
For information about how to create roles, see Creating and Managing Roles.
Consider the information below when you assign permissions to web content structures or templates:
- Determine if your roles must have global permissions for all web content structures or templates across the Liferay DXP instance, or only for specific sites.
- The View permission only allows users to view web content structures or templates.
- The majority of users should not be able to edit web content structures or templates.
Security Considerations for Web Content Templates
Web content templates use the FreeMarker Template Language (FTL) by default. Users with permission to create or edit templates using FreeMarker may execute arbitrary code on your DXP instance and access sensitive information, including information about other users.
Grant permission to create or edit web content templates in FreeMarker to trusted users only.
You can disable template creation completely. Once disabled, users can no longer access creation options for web content templates. This action does not affect existing templates.
To disable template creation,
-
Open the Control Panel tab in the Global Menu.
-
Go to Configuration → System Settings → Content and Data → Dynamic Data Mapping.
-
Click Dynamic Data Mapping Web.
-
Uncheck Enable Template Creation.
-
Click Save or Update.
Assigning Permissions
-
Open the Site Menu () and navigate to Content & Data → Web Content.
-
Select the Structures tab to set permissions for structures, or the Templates tab to set permissions for templates.
-
For the web content template where you want to assign permissions, click Actions () and select Permissions.
-
Select the permissions you need for your roles.
-
Click Save.
See Defining Role Permissions for more information on configuring permissions.