Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Wrong guest view permission assigned to images inserted into message boards threads (not following the thread's guest view permission)

Written By

Sorin Pop

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • if there is no private page on a site, and we create a message boards thread with "Viewable By"="Site Members", and you insert an image in the message (with the editor's image icon), that image will in the Documents and Media will end up having view permission for Guest (although it shouldn't, as its "parent" thread doesn't have it either)

  • if there is at least one private page on the site, and you create a thread with "Viewable By"="Anyone" and you put an image in it, the resulting document will NOT get the view permission for guest (although it should, as its "parent" thread does have it)

  • Steps to reproduce:
    1. Go to System Settings/Release Feature Flags and select Disable Private Pages.
    2. Create a new blank site.
    3. Create a new public widget page on it and put a Message Boards widget on it.
    4. Create a new thread, insert an image in the message body and set "Viewable By"="Site Members". Save.
    5. Check the permissions of the resulting document in Documents and Media
    Result: view permission for Guest is enabled
    Expected: it should be disabled (as it is also disabled for the thread on which we have this image)
    6. Create a new private widget page.
    7. Go back to the Message Board widget on the public page and start creating a new thread.
    8. Put an image in it and set (or leave) "Viewable By"="Anyone". Save.
    9. Check the permissions of the resulting new document in Documents and Media.
    Result: view permission for Guest is disabled
    Expected: it should be enabled (as its is also enabled for the thread on which we have this image)

  • The view permission of the file seems to be determined like this:

    • if there is at least one private page on the site, the view permission for the file will be disabled

    • if there is no private page on the site, the view permission for the file will be enabled

Environment

  • 7.4

Resolution

  • The image that you insert in a Message Boards message is being uploaded to D&M Repository, so it is getting Documents and Media default permissions (this is the expected behavior). It’s not considered as an attachment, so when you set for example "Viewable By"="Site Members", this is indeed applied only to the MB thread object (not the Documents&Media object created by inserting the image).
     
    Note that the document is not directly connected to the message, it is just been used there from the D&M repository.
     
    It is similar with other features, like web content articles, they behave the same way when using the Documents and Media tab from the item selector.
     
    What we could suggest: Message Boards also has an ATTACHMENTS section that inherits the mb permission to the uploaded documents.
     
    About the observed way of how the functionality behaves actually in the background (how it is determined what will be the guest view permission for the uploaded file)
     

    The view permission of the file seems to be determined like this:

    • if there is at least one private page on the site, the view permission for the file will be disabled by default
    • if there is no private page on the site, the view permission for the file will be enabled by default
     
    Indeed, this is a common pattern along the portal. Please see https://help.liferay.com/hc/en-us/articles/360033275212-Guest-permission-option-is-not-the-default-value-when-creating-a-file-entry-in-Control-Panel

 

 

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?