Controlling Role Visibility via Headless API
How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!
While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.
legacy-article
learn-legacy-article-disclaimer-text
Issue
- The
/o/headless-admin-user/v1.0/roles API exposes all system roles, potentially revealing sensitive information about permission structures, user roles, and their associated components (portlets).
Environment
- Liferay DXP 7.4
- Liferay DXP Quarterly Releases
Resolution
- You can control the role visibility through the API by managing each role's permissions. By default:
-
Owner: All permissions.
-
User (authenticated users): View permission.
-
Guest (anonymous users): No view permission.
- To restrict a specific role's visibility (e.g., Administrator):
- Go to the role (e.g., Administrator).
- In the options menu (⋮), select Permissions.
- Remove the View permission from the User role.
- This prevents non-administrative users from seeing the "Administrator" role via the API.
- Nevertheless, if an attacker knows a system uses Liferay, they don't need to access its API to find default permissions and portlets. This is because Liferay is open-source, allowing access to its code, and the software can be downloaded and installed locally to inspect its default settings.
did-this-article-resolve-your-issue
