VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 11, 2025· Updated Sep 11, 2025

CVE-2025-43782

CVE-2025-43782

Description

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.portal.workflow.kaleo.runtime.integration.implMaven
>= 5.0.1, < 5.0.485.0.48

Affected products

2

Patches

6
ad55ef75cb82

LPD-16334 Better order

https://github.com/liferay/liferay-portalBrian ChanJul 18, 2024via ghsa
commit
1 file changed · +21 18
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-integration-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/integration/internal/WorkflowDefinitionManagerImpl.java+21 18 modified
    @@ -102,7 +102,7 @@ public List<WorkflowDefinition> getActiveWorkflowDefinitions(
 		throws WorkflowException {
 
 		return _getActiveWorkflowDefinitions(
-			companyId, false, start, end, orderByComparator);
+			companyId, start, end, orderByComparator, false);
 	}
 
 	@Override
@@ -162,7 +162,7 @@ public WorkflowDefinition getLatestWorkflowDefinition(
 			long companyId, String name)
 		throws WorkflowException {
 
-		return _getLatestWorkflowDefinition(companyId, false, name);
+		return _getLatestWorkflowDefinition(companyId, name, false);
 	}
 
 	@Override
@@ -172,7 +172,7 @@ public List<WorkflowDefinition> getLatestWorkflowDefinitions(
 		throws WorkflowException {
 
 		return _getLatestWorkflowDefinitions(
-			active, companyId, false, start, end, orderByComparator);
+			companyId, active, start, end, orderByComparator, false);
 	}
 
 	@Override
@@ -223,7 +223,7 @@ public WorkflowDefinition getWorkflowDefinition(
 			long companyId, String name, int version)
 		throws WorkflowException {
 
-		return _getWorkflowDefinition(companyId, false, name, version);
+		return _getWorkflowDefinition(companyId, name, version, false);
 	}
 
 	@Override
@@ -233,7 +233,7 @@ public List<WorkflowDefinition> getWorkflowDefinitions(
 		throws WorkflowException {
 
 		return _getWorkflowDefinitions(
-			companyId, false, name, orderByComparator);
+			companyId, name, orderByComparator, false);
 	}
 
 	@Override
@@ -256,15 +256,15 @@ public List<WorkflowDefinition> liberalGetActiveWorkflowDefinitions(
 		throws WorkflowException {
 
 		return _getActiveWorkflowDefinitions(
-			companyId, true, start, end, orderByComparator);
+			companyId, start, end, orderByComparator, true);
 	}
 
 	@Override
 	public WorkflowDefinition liberalGetLatestWorkflowDefinition(
 			long companyId, String name)
 		throws WorkflowException {
 
-		return _getLatestWorkflowDefinition(companyId, true, name);
+		return _getLatestWorkflowDefinition(companyId, name, true);
 	}
 
 	@Override
@@ -274,15 +274,15 @@ public List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions(
 		throws WorkflowException {
 
 		return _getLatestWorkflowDefinitions(
-			null, companyId, true, start, end, orderByComparator);
+			companyId, null, start, end, orderByComparator, true);
 	}
 
 	@Override
 	public WorkflowDefinition liberalGetWorkflowDefinition(
 			long companyId, String name, int version)
 		throws WorkflowException {
 
-		return _getWorkflowDefinition(companyId, true, name, version);
+		return _getWorkflowDefinition(companyId, name, version, true);
 	}
 
 	@Override
@@ -292,7 +292,7 @@ public List<WorkflowDefinition> liberalGetWorkflowDefinitions(
 		throws WorkflowException {
 
 		return _getWorkflowDefinitions(
-			companyId, true, name, orderByComparator);
+			companyId, name, orderByComparator, true);
 	}
 
 	@Override
@@ -426,8 +426,9 @@ private <T> T _get(
 	}
 
 	private List<WorkflowDefinition> _getActiveWorkflowDefinitions(
-			long companyId, boolean liberal, int start, int end,
-			OrderByComparator<WorkflowDefinition> orderByComparator)
+			long companyId, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator,
+			boolean liberal)
 		throws WorkflowException {
 
 		try {
@@ -469,7 +470,7 @@ private List<WorkflowDefinition> _getActiveWorkflowDefinitions(
 	}
 
 	private WorkflowDefinition _getLatestWorkflowDefinition(
-			long companyId, boolean liberal, String name)
+			long companyId, String name, boolean liberal)
 		throws WorkflowException {
 
 		try {
@@ -494,8 +495,9 @@ private WorkflowDefinition _getLatestWorkflowDefinition(
 	}
 
 	private List<WorkflowDefinition> _getLatestWorkflowDefinitions(
-			Boolean active, long companyId, boolean liberal, int start, int end,
-			OrderByComparator<WorkflowDefinition> orderByComparator)
+			long companyId, Boolean active, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator,
+			boolean liberal)
 		throws WorkflowException {
 
 		try {
@@ -548,7 +550,7 @@ private List<WorkflowDefinition> _getLatestWorkflowDefinitions(
 	}
 
 	private WorkflowDefinition _getWorkflowDefinition(
-			long companyId, boolean liberal, String name, int version)
+			long companyId, String name, int version, boolean liberal)
 		throws WorkflowException {
 
 		try {
@@ -576,8 +578,9 @@ companyId, name, getVersion(version)),
 	}
 
 	private List<WorkflowDefinition> _getWorkflowDefinitions(
-			long companyId, boolean liberal, String name,
-			OrderByComparator<WorkflowDefinition> orderByComparator)
+			long companyId, String name,
+			OrderByComparator<WorkflowDefinition> orderByComparator,
+			boolean liberal)
 		throws WorkflowException {
 
 		try {
acf50c712f7f

LPD-16334 Create liberal method for getWorkflowDefinition that doesn't check permissions

https://github.com/liferay/liferay-portalPedro LeiteJun 3, 2024via ghsa
commit
6 files changed · +59 29
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/manager/WorkflowDefinitionManager.java+7 0 modified
    @@ -138,6 +138,13 @@ public default List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions(
 		throw new UnsupportedOperationException();
 	}
 
+	public default WorkflowDefinition liberalGetWorkflowDefinition(
+			long companyId, String name, int version)
+		throws WorkflowException {
+
+		throw new UnsupportedOperationException();
+	}
+
 	public default List<WorkflowDefinition> liberalGetWorkflowDefinitions(
 			long companyId, String name, int start, int end,
 			OrderByComparator<WorkflowDefinition> orderByComparator)
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/util/WorkflowDefinitionManagerUtil.java+11 11 modified
    @@ -45,17 +45,6 @@ public static int getActiveWorkflowDefinitionsCount(long companyId)
 			companyId);
 	}
 
-	public static WorkflowDefinition getWorkflowDefinition(
-			long companyId, String name, int version)
-		throws WorkflowException {
-
-		WorkflowDefinitionManager workflowDefinitionManager =
-			_workflowDefinitionManagerSnapshot.get();
-
-		return workflowDefinitionManager.getWorkflowDefinition(
-			companyId, name, version);
-	}
-
 	public static int getWorkflowDefinitionsCount(long companyId, String name)
 		throws WorkflowException {
 
@@ -101,6 +90,17 @@ public static List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions(
 			companyId, start, end, orderByComparator);
 	}
 
+	public static WorkflowDefinition liberalGetWorkflowDefinition(
+			long companyId, String name, int version)
+		throws WorkflowException {
+
+		WorkflowDefinitionManager workflowDefinitionManager =
+			_workflowDefinitionManagerSnapshot.get();
+
+		return workflowDefinitionManager.liberalGetWorkflowDefinition(
+			companyId, name, version);
+	}
+
 	public static List<WorkflowDefinition> liberalGetWorkflowDefinitions(
 			long companyId, String name, int start, int end,
 			OrderByComparator<WorkflowDefinition> orderByComparator)
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-integration-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/integration/internal/WorkflowDefinitionManagerImpl.java+37 14 modified
    @@ -223,20 +223,7 @@ public WorkflowDefinition getWorkflowDefinition(
 			long companyId, String name, int version)
 		throws WorkflowException {
 
-		try {
-			return _kaleoWorkflowModelConverter.toWorkflowDefinition(
-				_kaleoDefinitionVersionService.getKaleoDefinitionVersion(
-					companyId, name, getVersion(version)));
-		}
-		catch (NoSuchModelException noSuchModelException) {
-			throw new NoSuchWorkflowDefinitionException(noSuchModelException);
-		}
-		catch (WorkflowException workflowException) {
-			throw workflowException;
-		}
-		catch (Exception exception) {
-			throw new WorkflowException(exception);
-		}
+		return _getWorkflowDefinition(companyId, false, name, version);
 	}
 
 	@Override
@@ -290,6 +277,14 @@ public List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions(
 			null, companyId, true, start, end, orderByComparator);
 	}
 
+	@Override
+	public WorkflowDefinition liberalGetWorkflowDefinition(
+			long companyId, String name, int version)
+		throws WorkflowException {
+
+		return _getWorkflowDefinition(companyId, true, name, version);
+	}
+
 	@Override
 	public List<WorkflowDefinition> liberalGetWorkflowDefinitions(
 			long companyId, String name, int start, int end,
@@ -552,6 +547,34 @@ private List<WorkflowDefinition> _getLatestWorkflowDefinitions(
 		}
 	}
 
+	private WorkflowDefinition _getWorkflowDefinition(
+			long companyId, boolean liberal, String name, int version)
+		throws WorkflowException {
+
+		try {
+			return _kaleoWorkflowModelConverter.toWorkflowDefinition(
+				_get(
+					liberal,
+					() ->
+						_kaleoDefinitionVersionLocalService.
+							getKaleoDefinitionVersion(
+								companyId, name, getVersion(version)),
+					() ->
+						_kaleoDefinitionVersionService.
+							getKaleoDefinitionVersion(
+								companyId, name, getVersion(version))));
+		}
+		catch (NoSuchModelException noSuchModelException) {
+			throw new NoSuchWorkflowDefinitionException(noSuchModelException);
+		}
+		catch (WorkflowException workflowException) {
+			throw workflowException;
+		}
+		catch (Exception exception) {
+			throw new WorkflowException(exception);
+		}
+	}
+
 	private List<WorkflowDefinition> _getWorkflowDefinitions(
 			long companyId, boolean liberal, String name,
 			OrderByComparator<WorkflowDefinition> orderByComparator)
  • modules/apps/portal-workflow/portal-workflow-web/src/main/java/com/liferay/portal/workflow/web/internal/display/context/WorkflowInstanceEditDisplayContext.java+1 1 modified
    @@ -388,7 +388,7 @@ private String _getWorkflowDefinitionName() throws PortalException {
 		WorkflowInstance workflowInstance = _getWorkflowInstance();
 
 		WorkflowDefinition workflowDefinition =
-			WorkflowDefinitionManagerUtil.getWorkflowDefinition(
+			WorkflowDefinitionManagerUtil.liberalGetWorkflowDefinition(
 				workflowInstanceRequestHelper.getCompanyId(),
 				workflowInstance.getWorkflowDefinitionName(),
 				workflowInstance.getWorkflowDefinitionVersion());
  • modules/apps/portal-workflow/portal-workflow-web/src/main/java/com/liferay/portal/workflow/web/internal/display/context/WorkflowInstanceViewDisplayContext.java+1 1 modified
    @@ -98,7 +98,7 @@ public String getDefinition(WorkflowInstance workflowInstance)
 		throws PortalException {
 
 		WorkflowDefinition workflowDefinition =
-			WorkflowDefinitionManagerUtil.getWorkflowDefinition(
+			WorkflowDefinitionManagerUtil.liberalGetWorkflowDefinition(
 				workflowInstanceRequestHelper.getCompanyId(),
 				workflowInstance.getWorkflowDefinitionName(),
 				workflowInstance.getWorkflowDefinitionVersion());
  • modules/dxp/apps/portal-workflow-kaleo-forms/portal-workflow-kaleo-forms-web/src/main/java/com/liferay/portal/workflow/kaleo/forms/web/internal/util/KaleoFormsUtil.java+2 2 modified
    @@ -375,7 +375,7 @@ public static WorkflowDefinition getWorkflowDefinition(
 		long companyId, String name, int version) {
 
 		try {
-			return WorkflowDefinitionManagerUtil.getWorkflowDefinition(
+			return WorkflowDefinitionManagerUtil.liberalGetWorkflowDefinition(
 				companyId, name, version);
 		}
 		catch (Exception exception) {
@@ -461,7 +461,7 @@ private static List<String> _getNodeNames(
 		throws Exception {
 
 		WorkflowDefinition workflowDefinition =
-			WorkflowDefinitionManagerUtil.getWorkflowDefinition(
+			WorkflowDefinitionManagerUtil.liberalGetWorkflowDefinition(
 				companyId, workflowDefinitionName, workflowDefinitionVersion);
 
 		return TransformUtil.transform(
720f2d3fde18

LPD-16334 Create liberal method for getLatestWorkflowDefinitions that doesn't check permissions

https://github.com/liferay/liferay-portalPedro LeiteJun 3, 2024via ghsa
commit
4 files changed · +92 51
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/manager/WorkflowDefinitionManager.java+8 0 modified
    @@ -130,6 +130,14 @@ public default WorkflowDefinition liberalGetLatestWorkflowDefinition(
 		throw new UnsupportedOperationException();
 	}
 
+	public default List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions(
+			long companyId, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		throw new UnsupportedOperationException();
+	}
+
 	public default List<WorkflowDefinition> liberalGetWorkflowDefinitions(
 			long companyId, String name, int start, int end,
 			OrderByComparator<WorkflowDefinition> orderByComparator)
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/util/WorkflowDefinitionManagerUtil.java+12 12 modified
    @@ -45,18 +45,6 @@ public static int getActiveWorkflowDefinitionsCount(long companyId)
 			companyId);
 	}
 
-	public static List<WorkflowDefinition> getLatestWorkflowDefinitions(
-			long companyId, int start, int end,
-			OrderByComparator<WorkflowDefinition> orderByComparator)
-		throws WorkflowException {
-
-		WorkflowDefinitionManager workflowDefinitionManager =
-			_workflowDefinitionManagerSnapshot.get();
-
-		return workflowDefinitionManager.getLatestWorkflowDefinitions(
-			companyId, start, end, orderByComparator);
-	}
-
 	public static WorkflowDefinition getWorkflowDefinition(
 			long companyId, String name, int version)
 		throws WorkflowException {
@@ -101,6 +89,18 @@ public static WorkflowDefinition liberalGetLatestWorkflowDefinition(
 			companyId, name);
 	}
 
+	public static List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions(
+			long companyId, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		WorkflowDefinitionManager workflowDefinitionManager =
+			_workflowDefinitionManagerSnapshot.get();
+
+		return workflowDefinitionManager.liberalGetLatestWorkflowDefinitions(
+			companyId, start, end, orderByComparator);
+	}
+
 	public static List<WorkflowDefinition> liberalGetWorkflowDefinitions(
 			long companyId, String name, int start, int end,
 			OrderByComparator<WorkflowDefinition> orderByComparator)
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-integration-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/integration/internal/WorkflowDefinitionManagerImpl.java+66 34 modified
    @@ -171,40 +171,8 @@ public List<WorkflowDefinition> getLatestWorkflowDefinitions(
 			OrderByComparator<WorkflowDefinition> orderByComparator)
 		throws WorkflowException {
 
-		try {
-			ServiceContext serviceContext = new ServiceContext();
-
-			serviceContext.setCompanyId(companyId);
-
-			List<KaleoDefinition> kaleoDefinitions = null;
-
-			if (active == null) {
-				kaleoDefinitions =
-					_kaleoDefinitionService.getScopeKaleoDefinitions(
-						WorkflowDefinitionConstants.SCOPE_ALL, start, end,
-						KaleoDefinitionOrderByComparator.getOrderByComparator(
-							orderByComparator, _kaleoWorkflowModelConverter),
-						serviceContext);
-			}
-			else {
-				kaleoDefinitions =
-					_kaleoDefinitionService.getScopeKaleoDefinitions(
-						WorkflowDefinitionConstants.SCOPE_ALL, active, start,
-						end,
-						KaleoDefinitionOrderByComparator.getOrderByComparator(
-							orderByComparator, _kaleoWorkflowModelConverter),
-						serviceContext);
-			}
-
-			int size = kaleoDefinitions.size();
-
-			return _toWorkflowDefinitions(
-				kaleoDefinitions.toArray(new KaleoDefinition[size]),
-				orderByComparator);
-		}
-		catch (Exception exception) {
-			throw new WorkflowException(exception);
-		}
+		return _getLatestWorkflowDefinitions(
+			active, companyId, false, start, end, orderByComparator);
 	}
 
 	@Override
@@ -312,6 +280,16 @@ public WorkflowDefinition liberalGetLatestWorkflowDefinition(
 		return _getLatestWorkflowDefinition(companyId, true, name);
 	}
 
+	@Override
+	public List<WorkflowDefinition> liberalGetLatestWorkflowDefinitions(
+			long companyId, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		return _getLatestWorkflowDefinitions(
+			null, companyId, true, start, end, orderByComparator);
+	}
+
 	@Override
 	public List<WorkflowDefinition> liberalGetWorkflowDefinitions(
 			long companyId, String name, int start, int end,
@@ -520,6 +498,60 @@ private WorkflowDefinition _getLatestWorkflowDefinition(
 		}
 	}
 
+	private List<WorkflowDefinition> _getLatestWorkflowDefinitions(
+			Boolean active, long companyId, boolean liberal, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		try {
+			ServiceContext serviceContext = new ServiceContext();
+
+			serviceContext.setCompanyId(companyId);
+
+			List<KaleoDefinition> kaleoDefinitions = null;
+
+			if (active == null) {
+				kaleoDefinitions = _get(
+					liberal,
+					() -> _kaleoDefinitionLocalService.getScopeKaleoDefinitions(
+						WorkflowDefinitionConstants.SCOPE_ALL, start, end,
+						KaleoDefinitionOrderByComparator.getOrderByComparator(
+							orderByComparator, _kaleoWorkflowModelConverter),
+						serviceContext),
+					() -> _kaleoDefinitionService.getScopeKaleoDefinitions(
+						WorkflowDefinitionConstants.SCOPE_ALL, start, end,
+						KaleoDefinitionOrderByComparator.getOrderByComparator(
+							orderByComparator, _kaleoWorkflowModelConverter),
+						serviceContext));
+			}
+			else {
+				kaleoDefinitions = _get(
+					liberal,
+					() -> _kaleoDefinitionLocalService.getScopeKaleoDefinitions(
+						WorkflowDefinitionConstants.SCOPE_ALL, active, start,
+						end,
+						KaleoDefinitionOrderByComparator.getOrderByComparator(
+							orderByComparator, _kaleoWorkflowModelConverter),
+						serviceContext),
+					() -> _kaleoDefinitionService.getScopeKaleoDefinitions(
+						WorkflowDefinitionConstants.SCOPE_ALL, active, start,
+						end,
+						KaleoDefinitionOrderByComparator.getOrderByComparator(
+							orderByComparator, _kaleoWorkflowModelConverter),
+						serviceContext));
+			}
+
+			int size = kaleoDefinitions.size();
+
+			return _toWorkflowDefinitions(
+				kaleoDefinitions.toArray(new KaleoDefinition[size]),
+				orderByComparator);
+		}
+		catch (Exception exception) {
+			throw new WorkflowException(exception);
+		}
+	}
+
 	private List<WorkflowDefinition> _getWorkflowDefinitions(
 			long companyId, boolean liberal, String name,
 			OrderByComparator<WorkflowDefinition> orderByComparator)
  • modules/apps/portal-workflow/portal-workflow-web/src/main/java/com/liferay/portal/workflow/web/internal/display/context/WorkflowDefinitionDisplayContext.java+6 5 modified
    @@ -273,7 +273,7 @@ public SearchContainer<WorkflowDefinition> getSearch(
 			"no-workflow-definitions-are-defined");
 
 		List<WorkflowDefinition> workflowDefinitions =
-			WorkflowDefinitionManagerUtil.getLatestWorkflowDefinitions(
+			WorkflowDefinitionManagerUtil.liberalGetLatestWorkflowDefinitions(
 				_workflowDefinitionRequestHelper.getCompanyId(),
 				QueryUtil.ALL_POS, QueryUtil.ALL_POS,
 				_getWorkflowDefinitionOrderByComparator());
@@ -288,10 +288,11 @@ public SearchContainer<WorkflowDefinition> getSearch(
 						setProductionModeWithSafeCloseable()) {
 
 				workflowDefinitions.addAll(
-					WorkflowDefinitionManagerUtil.getLatestWorkflowDefinitions(
-						_workflowDefinitionRequestHelper.getCompanyId(),
-						QueryUtil.ALL_POS, QueryUtil.ALL_POS,
-						_getWorkflowDefinitionOrderByComparator()));
+					WorkflowDefinitionManagerUtil.
+						liberalGetLatestWorkflowDefinitions(
+							_workflowDefinitionRequestHelper.getCompanyId(),
+							QueryUtil.ALL_POS, QueryUtil.ALL_POS,
+							_getWorkflowDefinitionOrderByComparator()));
 			}
 		}
4e85bafae4c4

LPD-16334 Create liberal method for getWorkflowDefinitions that doesn't check permissions

https://github.com/liferay/liferay-portalPedro LeiteJun 3, 2024via ghsa
commit
4 files changed · +62 31
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/manager/WorkflowDefinitionManager.java+8 0 modified
    @@ -130,6 +130,14 @@ public default WorkflowDefinition liberalGetLatestWorkflowDefinition(
 		throw new UnsupportedOperationException();
 	}
 
+	public default List<WorkflowDefinition> liberalGetWorkflowDefinitions(
+			long companyId, String name, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		throw new UnsupportedOperationException();
+	}
+
 	/**
 	 * Saves a workflow definition without activating it or validating its data.
 	 * To save the definition, validate its data, and activate it, use {@link
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/util/WorkflowDefinitionManagerUtil.java+12 12 modified
    @@ -68,18 +68,6 @@ public static WorkflowDefinition getWorkflowDefinition(
 			companyId, name, version);
 	}
 
-	public static List<WorkflowDefinition> getWorkflowDefinitions(
-			long companyId, String name, int start, int end,
-			OrderByComparator<WorkflowDefinition> orderByComparator)
-		throws WorkflowException {
-
-		WorkflowDefinitionManager workflowDefinitionManager =
-			_workflowDefinitionManagerSnapshot.get();
-
-		return workflowDefinitionManager.getWorkflowDefinitions(
-			companyId, name, start, end, orderByComparator);
-	}
-
 	public static int getWorkflowDefinitionsCount(long companyId, String name)
 		throws WorkflowException {
 
@@ -113,6 +101,18 @@ public static WorkflowDefinition liberalGetLatestWorkflowDefinition(
 			companyId, name);
 	}
 
+	public static List<WorkflowDefinition> liberalGetWorkflowDefinitions(
+			long companyId, String name, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		WorkflowDefinitionManager workflowDefinitionManager =
+			_workflowDefinitionManagerSnapshot.get();
+
+		return workflowDefinitionManager.liberalGetWorkflowDefinitions(
+			companyId, name, start, end, orderByComparator);
+	}
+
 	/**
 	 * Saves a workflow definition without activating it or validating its data.
 	 * To save the definition, validate its data, and activate it, use {@link
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-integration-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/integration/internal/WorkflowDefinitionManagerImpl.java+41 18 modified
    @@ -277,24 +277,8 @@ public List<WorkflowDefinition> getWorkflowDefinitions(
 			OrderByComparator<WorkflowDefinition> orderByComparator)
 		throws WorkflowException {
 
-		try {
-			List<KaleoDefinitionVersion> kaleoDefinitionVersions =
-				_kaleoDefinitionVersionService.getKaleoDefinitionVersions(
-					companyId, name);
-
-			int size = kaleoDefinitionVersions.size();
-
-			return _toWorkflowDefinitions(
-				kaleoDefinitionVersions.toArray(
-					new KaleoDefinitionVersion[size]),
-				orderByComparator);
-		}
-		catch (WorkflowException workflowException) {
-			throw workflowException;
-		}
-		catch (Exception exception) {
-			throw new WorkflowException(exception);
-		}
+		return _getWorkflowDefinitions(
+			companyId, false, name, orderByComparator);
 	}
 
 	@Override
@@ -328,6 +312,16 @@ public WorkflowDefinition liberalGetLatestWorkflowDefinition(
 		return _getLatestWorkflowDefinition(companyId, true, name);
 	}
 
+	@Override
+	public List<WorkflowDefinition> liberalGetWorkflowDefinitions(
+			long companyId, String name, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		return _getWorkflowDefinitions(
+			companyId, true, name, orderByComparator);
+	}
+
 	@Override
 	public WorkflowDefinition saveWorkflowDefinition(
 			long companyId, long userId, String title, String name,
@@ -526,6 +520,35 @@ private WorkflowDefinition _getLatestWorkflowDefinition(
 		}
 	}
 
+	private List<WorkflowDefinition> _getWorkflowDefinitions(
+			long companyId, boolean liberal, String name,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		try {
+			List<KaleoDefinitionVersion> kaleoDefinitionVersions = _get(
+				liberal,
+				() ->
+					_kaleoDefinitionVersionLocalService.
+						getKaleoDefinitionVersions(companyId, name),
+				() -> _kaleoDefinitionVersionService.getKaleoDefinitionVersions(
+					companyId, name));
+
+			int size = kaleoDefinitionVersions.size();
+
+			return _toWorkflowDefinitions(
+				kaleoDefinitionVersions.toArray(
+					new KaleoDefinitionVersion[size]),
+				orderByComparator);
+		}
+		catch (WorkflowException workflowException) {
+			throw workflowException;
+		}
+		catch (Exception exception) {
+			throw new WorkflowException(exception);
+		}
+	}
+
 	private List<WorkflowDefinition> _toWorkflowDefinitions(
 		KaleoDefinition[] kaleoDefinitions,
 		OrderByComparator<WorkflowDefinition> orderByComparator) {
  • modules/apps/portal-workflow/portal-workflow-web/src/main/java/com/liferay/portal/workflow/web/internal/display/context/WorkflowDefinitionDisplayContext.java+1 1 modified
    @@ -372,7 +372,7 @@ public String getUserNameOrBlank(WorkflowDefinition workflowDefinition) {
 	public List<WorkflowDefinition> getWorkflowDefinitions(String name)
 		throws PortalException {
 
-		return WorkflowDefinitionManagerUtil.getWorkflowDefinitions(
+		return WorkflowDefinitionManagerUtil.liberalGetWorkflowDefinitions(
 			_workflowDefinitionRequestHelper.getCompanyId(), name,
 			QueryUtil.ALL_POS, QueryUtil.ALL_POS, null);
 	}
c30a8b729e13

LPD-16334 Create liberal method for getLatestWorkflowDefinition that doesn't check permissions

https://github.com/liferay/liferay-portalPedro LeiteJun 3, 2024via ghsa
commit
5 files changed · +56 29
  • modules/apps/export-import/export-import-service/src/main/java/com/liferay/exportimport/internal/lar/PortletDataContextImpl.java+3 2 modified
    @@ -2532,8 +2532,9 @@ private void _importWorkflowDefinitionLink(
 
 			try {
 				workflowDefinition =
-					WorkflowDefinitionManagerUtil.getLatestWorkflowDefinition(
-						getCompanyId(), displayName);
+					WorkflowDefinitionManagerUtil.
+						liberalGetLatestWorkflowDefinition(
+							getCompanyId(), displayName);
 			}
 			catch (WorkflowException workflowException) {
 				if (_log.isDebugEnabled()) {
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/manager/WorkflowDefinitionManager.java+7 0 modified
    @@ -123,6 +123,13 @@ public default List<WorkflowDefinition> liberalGetActiveWorkflowDefinitions(
 		throw new UnsupportedOperationException();
 	}
 
+	public default WorkflowDefinition liberalGetLatestWorkflowDefinition(
+			long companyId, String name)
+		throws WorkflowException {
+
+		throw new UnsupportedOperationException();
+	}
+
 	/**
 	 * Saves a workflow definition without activating it or validating its data.
 	 * To save the definition, validate its data, and activate it, use {@link
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/util/WorkflowDefinitionManagerUtil.java+11 11 modified
    @@ -45,17 +45,6 @@ public static int getActiveWorkflowDefinitionsCount(long companyId)
 			companyId);
 	}
 
-	public static WorkflowDefinition getLatestWorkflowDefinition(
-			long companyId, String name)
-		throws WorkflowException {
-
-		WorkflowDefinitionManager workflowDefinitionManager =
-			_workflowDefinitionManagerSnapshot.get();
-
-		return workflowDefinitionManager.getLatestWorkflowDefinition(
-			companyId, name);
-	}
-
 	public static List<WorkflowDefinition> getLatestWorkflowDefinitions(
 			long companyId, int start, int end,
 			OrderByComparator<WorkflowDefinition> orderByComparator)
@@ -113,6 +102,17 @@ public static List<WorkflowDefinition> liberalGetActiveWorkflowDefinitions(
 			companyId, start, end, orderByComparator);
 	}
 
+	public static WorkflowDefinition liberalGetLatestWorkflowDefinition(
+			long companyId, String name)
+		throws WorkflowException {
+
+		WorkflowDefinitionManager workflowDefinitionManager =
+			_workflowDefinitionManagerSnapshot.get();
+
+		return workflowDefinitionManager.liberalGetLatestWorkflowDefinition(
+			companyId, name);
+	}
+
 	/**
 	 * Saves a workflow definition without activating it or validating its data.
 	 * To save the definition, validate its data, and activate it, use {@link
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-integration-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/integration/internal/WorkflowDefinitionManagerImpl.java+34 15 modified
    @@ -162,21 +162,7 @@ public WorkflowDefinition getLatestWorkflowDefinition(
 			long companyId, String name)
 		throws WorkflowException {
 
-		try {
-			ServiceContext serviceContext = new ServiceContext();
-
-			serviceContext.setCompanyId(companyId);
-
-			return _kaleoWorkflowModelConverter.toWorkflowDefinition(
-				_kaleoDefinitionService.getKaleoDefinition(
-					name, serviceContext));
-		}
-		catch (WorkflowException workflowException) {
-			throw workflowException;
-		}
-		catch (Exception exception) {
-			throw new WorkflowException(exception);
-		}
+		return _getLatestWorkflowDefinition(companyId, false, name);
 	}
 
 	@Override
@@ -334,6 +320,14 @@ public List<WorkflowDefinition> liberalGetActiveWorkflowDefinitions(
 			companyId, true, start, end, orderByComparator);
 	}
 
+	@Override
+	public WorkflowDefinition liberalGetLatestWorkflowDefinition(
+			long companyId, String name)
+		throws WorkflowException {
+
+		return _getLatestWorkflowDefinition(companyId, true, name);
+	}
+
 	@Override
 	public WorkflowDefinition saveWorkflowDefinition(
 			long companyId, long userId, String title, String name,
@@ -507,6 +501,31 @@ private List<WorkflowDefinition> _getActiveWorkflowDefinitions(
 		}
 	}
 
+	private WorkflowDefinition _getLatestWorkflowDefinition(
+			long companyId, boolean liberal, String name)
+		throws WorkflowException {
+
+		try {
+			ServiceContext serviceContext = new ServiceContext();
+
+			serviceContext.setCompanyId(companyId);
+
+			return _kaleoWorkflowModelConverter.toWorkflowDefinition(
+				_get(
+					liberal,
+					() -> _kaleoDefinitionLocalService.getKaleoDefinition(
+						name, serviceContext),
+					() -> _kaleoDefinitionService.getKaleoDefinition(
+						name, serviceContext)));
+		}
+		catch (WorkflowException workflowException) {
+			throw workflowException;
+		}
+		catch (Exception exception) {
+			throw new WorkflowException(exception);
+		}
+	}
+
 	private List<WorkflowDefinition> _toWorkflowDefinitions(
 		KaleoDefinition[] kaleoDefinitions,
 		OrderByComparator<WorkflowDefinition> orderByComparator) {
  • modules/apps/portal-workflow/portal-workflow-web/src/main/java/com/liferay/portal/workflow/web/internal/display/context/WorkflowDefinitionLinkDisplayContext.java+1 1 modified
    @@ -106,7 +106,7 @@ public WorkflowDefinition fetchDefaultWorkflowDefinition(String className)
 			return null;
 		}
 
-		return WorkflowDefinitionManagerUtil.getLatestWorkflowDefinition(
+		return WorkflowDefinitionManagerUtil.liberalGetLatestWorkflowDefinition(
 			_workflowDefinitionLinkRequestHelper.getCompanyId(),
 			defaultWorkflowDefinitionLink.getWorkflowDefinitionName());
 	}
b61004c960e1

LPD-16334 Create liberal method for getActiveWorkflowDefinitions that doesn't check permissions

https://github.com/liferay/liferay-portalPedro LeiteJun 3, 2024via ghsa
commit
8 files changed · +98 47
  • modules/apps/document-library/document-library-web/src/main/java/com/liferay/document/library/web/internal/display/context/DLEditFolderDisplayContext.java+1 1 modified
    @@ -209,7 +209,7 @@ public List<WorkflowDefinition> getWorkflowDefinitions()
 		}
 
 		_workflowDefinitions =
-			WorkflowDefinitionManagerUtil.getActiveWorkflowDefinitions(
+			WorkflowDefinitionManagerUtil.liberalGetActiveWorkflowDefinitions(
 				_themeDisplay.getCompanyId(), QueryUtil.ALL_POS,
 				QueryUtil.ALL_POS, null);
  • modules/apps/dynamic-data-lists/dynamic-data-lists-web/src/main/resources/META-INF/resources/edit_record_set.jsp+1 1 modified
    @@ -123,7 +123,7 @@ if (ddlDisplayContext.isAdminPortlet()) {
 							<aui:option><liferay-ui:message key="no-workflow" /></aui:option>
 
 							<%
-							List<WorkflowDefinition> workflowDefinitions = WorkflowDefinitionManagerUtil.getActiveWorkflowDefinitions(company.getCompanyId(), QueryUtil.ALL_POS, QueryUtil.ALL_POS, null);
+							List<WorkflowDefinition> workflowDefinitions = WorkflowDefinitionManagerUtil.liberalGetActiveWorkflowDefinitions(company.getCompanyId(), QueryUtil.ALL_POS, QueryUtil.ALL_POS, null);
 
 							for (WorkflowDefinition workflowDefinition : workflowDefinitions) {
 								boolean selected = false;
  • modules/apps/journal/journal-web/src/main/resources/META-INF/resources/edit_folder.jsp+1 1 modified
    @@ -23,7 +23,7 @@ boolean workflowEnabled = WorkflowHandlerRegistryUtil.getWorkflowHandler(Journal
 List<WorkflowDefinition> workflowDefinitions = null;
 
 if (workflowEnabled) {
-	workflowDefinitions = WorkflowDefinitionManagerUtil.getActiveWorkflowDefinitions(company.getCompanyId(), QueryUtil.ALL_POS, QueryUtil.ALL_POS, null);
+	workflowDefinitions = WorkflowDefinitionManagerUtil.liberalGetActiveWorkflowDefinitions(company.getCompanyId(), QueryUtil.ALL_POS, QueryUtil.ALL_POS, null);
 }
 
 String languageId = LocaleUtil.toLanguageId(locale);
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/manager/WorkflowDefinitionManager.java+8 0 modified
    @@ -115,6 +115,14 @@ public default int getWorkflowDefinitionsCount(long companyId, String name)
 		throw new UnsupportedOperationException();
 	}
 
+	public default List<WorkflowDefinition> liberalGetActiveWorkflowDefinitions(
+			long companyId, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		throw new UnsupportedOperationException();
+	}
+
 	/**
 	 * Saves a workflow definition without activating it or validating its data.
 	 * To save the definition, validate its data, and activate it, use {@link
  • modules/apps/portal-workflow/portal-workflow-api/src/main/java/com/liferay/portal/workflow/util/WorkflowDefinitionManagerUtil.java+12 12 modified
    @@ -35,18 +35,6 @@ public static WorkflowDefinition deployWorkflowDefinition(
 			companyId, userId, title, name, bytes);
 	}
 
-	public static List<WorkflowDefinition> getActiveWorkflowDefinitions(
-			long companyId, int start, int end,
-			OrderByComparator<WorkflowDefinition> orderByComparator)
-		throws WorkflowException {
-
-		WorkflowDefinitionManager workflowDefinitionManager =
-			_workflowDefinitionManagerSnapshot.get();
-
-		return workflowDefinitionManager.getActiveWorkflowDefinitions(
-			companyId, start, end, orderByComparator);
-	}
-
 	public static int getActiveWorkflowDefinitionsCount(long companyId)
 		throws WorkflowException {
 
@@ -113,6 +101,18 @@ public static int getWorkflowDefinitionsCount(long companyId, String name)
 			companyId, name);
 	}
 
+	public static List<WorkflowDefinition> liberalGetActiveWorkflowDefinitions(
+			long companyId, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		WorkflowDefinitionManager workflowDefinitionManager =
+			_workflowDefinitionManagerSnapshot.get();
+
+		return workflowDefinitionManager.liberalGetActiveWorkflowDefinitions(
+			companyId, start, end, orderByComparator);
+	}
+
 	/**
 	 * Saves a workflow definition without activating it or validating its data.
 	 * To save the definition, validate its data, and activate it, use {@link
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-integration-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/integration/internal/WorkflowDefinitionManagerImpl.java+69 27 modified
    @@ -5,6 +5,7 @@
 
 package com.liferay.portal.workflow.kaleo.runtime.integration.internal;
 
+import com.liferay.petra.function.UnsafeSupplier;
 import com.liferay.petra.string.StringBundler;
 import com.liferay.petra.string.StringPool;
 import com.liferay.portal.kernel.exception.NoSuchModelException;
@@ -100,33 +101,8 @@ public List<WorkflowDefinition> getActiveWorkflowDefinitions(
 			OrderByComparator<WorkflowDefinition> orderByComparator)
 		throws WorkflowException {
 
-		try {
-			if (orderByComparator == null) {
-				orderByComparator =
-					_workflowComparatorFactory.getDefinitionNameComparator(
-						true);
-			}
-
-			ServiceContext serviceContext = new ServiceContext();
-
-			serviceContext.setCompanyId(companyId);
-
-			List<KaleoDefinition> kaleoDefinitions =
-				_kaleoDefinitionService.getScopeKaleoDefinitions(
-					WorkflowDefinitionConstants.SCOPE_ALL, true, start, end,
-					KaleoDefinitionOrderByComparator.getOrderByComparator(
-						orderByComparator, _kaleoWorkflowModelConverter),
-					serviceContext);
-
-			int size = kaleoDefinitions.size();
-
-			return _toWorkflowDefinitions(
-				kaleoDefinitions.toArray(new KaleoDefinition[size]),
-				orderByComparator);
-		}
-		catch (Exception exception) {
-			throw new WorkflowException(exception);
-		}
+		return _getActiveWorkflowDefinitions(
+			companyId, false, start, end, orderByComparator);
 	}
 
 	@Override
@@ -348,6 +324,16 @@ public int getWorkflowDefinitionsCount(long companyId, String name)
 		}
 	}
 
+	@Override
+	public List<WorkflowDefinition> liberalGetActiveWorkflowDefinitions(
+			long companyId, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		return _getActiveWorkflowDefinitions(
+			companyId, true, start, end, orderByComparator);
+	}
+
 	@Override
 	public WorkflowDefinition saveWorkflowDefinition(
 			long companyId, long userId, String title, String name,
@@ -465,6 +451,62 @@ protected String getVersion(int version) {
 		return version + StringPool.PERIOD + 0;
 	}
 
+	private <T> T _get(
+			boolean liberal,
+			UnsafeSupplier<T, PortalException> localServiceUnsafeSupplier,
+			UnsafeSupplier<T, PortalException> serviceUnsafeSupplier)
+		throws PortalException {
+
+		if (liberal) {
+			return localServiceUnsafeSupplier.get();
+		}
+
+		return serviceUnsafeSupplier.get();
+	}
+
+	private List<WorkflowDefinition> _getActiveWorkflowDefinitions(
+			long companyId, boolean liberal, int start, int end,
+			OrderByComparator<WorkflowDefinition> orderByComparator)
+		throws WorkflowException {
+
+		try {
+			if (orderByComparator == null) {
+				orderByComparator =
+					_workflowComparatorFactory.getDefinitionNameComparator(
+						true);
+			}
+
+			ServiceContext serviceContext = new ServiceContext();
+
+			serviceContext.setCompanyId(companyId);
+
+			OrderByComparator<WorkflowDefinition> finalOrderByComparator =
+				orderByComparator;
+
+			List<KaleoDefinition> kaleoDefinitions = _get(
+				liberal,
+				() -> _kaleoDefinitionLocalService.getScopeKaleoDefinitions(
+					WorkflowDefinitionConstants.SCOPE_ALL, true, start, end,
+					KaleoDefinitionOrderByComparator.getOrderByComparator(
+						finalOrderByComparator, _kaleoWorkflowModelConverter),
+					serviceContext),
+				() -> _kaleoDefinitionService.getScopeKaleoDefinitions(
+					WorkflowDefinitionConstants.SCOPE_ALL, true, start, end,
+					KaleoDefinitionOrderByComparator.getOrderByComparator(
+						finalOrderByComparator, _kaleoWorkflowModelConverter),
+					serviceContext));
+
+			int size = kaleoDefinitions.size();
+
+			return _toWorkflowDefinitions(
+				kaleoDefinitions.toArray(new KaleoDefinition[size]),
+				orderByComparator);
+		}
+		catch (Exception exception) {
+			throw new WorkflowException(exception);
+		}
+	}
+
 	private List<WorkflowDefinition> _toWorkflowDefinitions(
 		KaleoDefinition[] kaleoDefinitions,
 		OrderByComparator<WorkflowDefinition> orderByComparator) {
  • modules/apps/portal-workflow/portal-workflow-web/src/main/java/com/liferay/portal/workflow/web/internal/display/context/WorkflowDefinitionLinkDisplayContext.java+1 1 modified
    @@ -315,7 +315,7 @@ public List<WorkflowDefinition> getWorkflowDefinitions()
 		}
 
 		_workflowDefinitions = ListUtil.filter(
-			WorkflowDefinitionManagerUtil.getActiveWorkflowDefinitions(
+			WorkflowDefinitionManagerUtil.liberalGetActiveWorkflowDefinitions(
 				_workflowDefinitionLinkRequestHelper.getCompanyId(),
 				QueryUtil.ALL_POS, QueryUtil.ALL_POS,
 				_workflowComparatorFactory.getDefinitionNameComparator(true)),
  • modules/dxp/apps/portal-workflow-kaleo-forms/portal-workflow-kaleo-forms-web/src/main/java/com/liferay/portal/workflow/kaleo/forms/web/internal/display/context/KaleoFormsAdminDisplayContext.java+5 4 modified
    @@ -389,10 +389,11 @@ _renderRequest, _getIteratorURL(), null,
 
 			searchContainer.setResultsAndTotal(
 				() ->
-					WorkflowDefinitionManagerUtil.getActiveWorkflowDefinitions(
-						_themeDisplay.getCompanyId(),
-						searchContainer.getStart(), searchContainer.getEnd(),
-						null),
+					WorkflowDefinitionManagerUtil.
+						liberalGetActiveWorkflowDefinitions(
+							_themeDisplay.getCompanyId(),
+							searchContainer.getStart(),
+							searchContainer.getEnd(), null),
 				WorkflowDefinitionManagerUtil.getActiveWorkflowDefinitionsCount(
 					_themeDisplay.getCompanyId()));

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.