Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Permission Restriction on MyAccountPortlet

Written By

Peter Schwarcz

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • We tried to restrict access to MyAccountPortlet for various users in order to prevent them from amending their own data.

  • We found that despite removing the permissions for User and Owner roles on com_liferay_my_account_web_portlet_MyAccountPortlet, they are still able to view and edit their data via the Sign In portlet:

    • With the use of the "Sign In" portlet, a user is able to access their Account Settings page. After they authenticate (log in) the text normally says:

      You are signed in as Test Test.

    • And clicking the link takes them to their Account Settings despite seemingly not having the permission to do so.

  • How do we restrict access to this portlet?

Environment

  • Liferay DXP 7.3

Resolution

  • The observed behaviour is by design.
  • Every authenticated user is able to View and Configure their own data. (Only their own data! We ensure this with the condition (permissionChecker.getUserId() == userId) in UserPermissionImpl.) This behaviour is considered expected. See source: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/service/permission/UserPermissionImpl.java#L121
  • Revoking the Access in Personal Menu permission ensures we don't make the pages visible in the user personal menu, but the right that everyone can View and Configure their own data remains. (Of course, owning the link to Account Settings page is required.)
  • To sum up, the behaviour is intentional and changing it would break other features. We can suggest the following workarounds to avoid exposing the Account Settings page via Sign In widget:
    • Remove the Sign In widget from the page. The Account Settings page is not accessible via a made-up URL, because it requires a portlet authentication token (p_p_auth) to be present in the URL to render. For URLs generated by the portal the authentication token is automatically added to the URL.
    • Customize the Sign in widget via fragment module to remove the link. If the Sign In widget must be part of the page due to design considerations or other reason, then it should be customized to stop linking to Account Settings page. See source: https://github.com/liferay/liferay-portal/blob/master/modules/apps/login/login-web/src/main/resources/META-INF/resources/login.jsp#L28
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?