LPD-72782 Create a configuration to remove client's IP from Liferay object

Author: izaera

modules/apps/frontend-js/frontend-js-web/src/main/java/com/liferay/frontend/js/web/internal/configuration/LiferayGlobalObjectConfiguration.java

@@ -0,0 +1,32 @@
+/**
+ * SPDX-FileCopyrightText: (c) 2025 Liferay, Inc. https://liferay.com
+ * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06
+ */
+
+package com.liferay.frontend.js.web.internal.configuration;
+
+import aQute.bnd.annotation.metatype.Meta;
+
+import com.liferay.portal.configuration.metatype.annotations.ExtendedObjectClassDefinition;
+
+/**
+ * @author Iván Zaera Avellón
+ */
+@ExtendedObjectClassDefinition(
+	category = "infrastructure",
+	scope = ExtendedObjectClassDefinition.Scope.COMPANY, strictScope = true
+)
+@Meta.OCD(
+	id = "com.liferay.frontend.js.web.internal.configuration.LiferayGlobalObjectConfiguration",
+	localization = "content/Language",
+	name = "liferay-global-object-configuration-name"
+)
+public interface LiferayGlobalObjectConfiguration {
+
+	@Meta.AD(
+		deflt = "false", description = "disable-get-remote-methods-help",
+		name = "disable-get-remote-methods", required = false
+	)
+	public boolean disableGetRemoteMethods();
+
+}

modules/apps/frontend-js/frontend-js-web/src/main/java/com/liferay/frontend/js/web/internal/servlet/taglib/LiferayGlobalObjectPreAUIDynamicInclude.java

@@ -6,11 +6,14 @@
 package com.liferay.frontend.js.web.internal.servlet.taglib;
 
 import com.liferay.exportimport.kernel.staging.Staging;
+import com.liferay.frontend.js.web.internal.configuration.LiferayGlobalObjectConfiguration;
 import com.liferay.layout.seo.kernel.LayoutSEOLink;
 import com.liferay.layout.seo.kernel.LayoutSEOLinkManager;
 import com.liferay.petra.string.CharPool;
 import com.liferay.petra.string.StringBundler;
 import com.liferay.petra.string.StringPool;
+import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
+import com.liferay.portal.configuration.module.configuration.ConfigurationProvider;
 import com.liferay.portal.kernel.content.security.policy.ContentSecurityPolicyNonceProviderUtil;
 import com.liferay.portal.kernel.exception.PortalException;
 import com.liferay.portal.kernel.feature.flag.FeatureFlag;
@@ -23,6 +26,7 @@
 import com.liferay.portal.kernel.model.LayoutTypePortlet;
 import com.liferay.portal.kernel.model.User;
 import com.liferay.portal.kernel.model.impl.VirtualLayout;
+import com.liferay.portal.kernel.module.configuration.ConfigurationException;
 import com.liferay.portal.kernel.security.auth.AuthToken;
 import com.liferay.portal.kernel.security.permission.ActionKeys;
 import com.liferay.portal.kernel.service.permission.LayoutPermission;
@@ -63,6 +67,7 @@
 import java.text.Format;
 import java.text.SimpleDateFormat;
 
+import java.util.Collections;
 import java.util.Locale;
 import java.util.Map;
 import java.util.TimeZone;
@@ -87,6 +92,9 @@ public void include(
 			HttpServletResponse httpServletResponse, String key)
 		throws IOException {
 
+		LiferayGlobalObjectConfiguration liferayGlobalObjectConfiguration =
+			_getLiferayGlobalObjectConfiguration(httpServletRequest);
+
 		PrintWriter printWriter = httpServletResponse.getWriter();
 
 		printWriter.print("<script");
@@ -107,7 +115,8 @@ public void include(
 			_renderLiferayPortlet(sb);
 			_renderLiferayPortletKeys(sb);
 			_renderLiferayPropsValues(httpServletRequest, sb);
-			_renderLiferayThemeDisplay(httpServletRequest, sb);
+			_renderLiferayThemeDisplay(
+				httpServletRequest, liferayGlobalObjectConfiguration, sb);
 			_renderLiferayUtil(sb);
 
 			_renderValue(
@@ -210,6 +219,35 @@ else if (dayIndex < monthIndex) {
 		return dateFormatPattern;
 	}
 
+	private LiferayGlobalObjectConfiguration
+		_getLiferayGlobalObjectConfiguration(
+			HttpServletRequest httpServletRequest) {
+
+		LiferayGlobalObjectConfiguration liferayGlobalObjectConfiguration;
+
+		long companyId = _portal.getCompanyId(httpServletRequest);
+
+		try {
+			liferayGlobalObjectConfiguration =
+				_configurationProvider.getCompanyConfiguration(
+					LiferayGlobalObjectConfiguration.class, companyId);
+		}
+		catch (ConfigurationException configurationException) {
+			if (_log.isWarnEnabled()) {
+				_log.warn(
+					"Using default configuration for company " + companyId,
+					configurationException);
+			}
+
+			liferayGlobalObjectConfiguration =
+				ConfigurableUtil.createConfigurable(
+					LiferayGlobalObjectConfiguration.class,
+					Collections.emptyMap());
+		}
+
+		return liferayGlobalObjectConfiguration;
+	}
+
 	private void _renderLiferayAUI(
 		HttpServletRequest httpServletRequest, StringBundler sb) {
 
@@ -499,7 +537,9 @@ private void _renderLiferayPropsValues(
 	}
 
 	private void _renderLiferayThemeDisplay(
-			HttpServletRequest httpServletRequest, StringBundler sb)
+			HttpServletRequest httpServletRequest,
+			LiferayGlobalObjectConfiguration liferayGlobalObjectConfiguration,
+			StringBundler sb)
 		throws PortalException {
 
 		sb.append("ThemeDisplay: {\n");
@@ -581,8 +621,11 @@ private void _renderLiferayThemeDisplay(
 		_renderMethod("getPlid", sb, themeDisplay.getPlid());
 		_renderMethod("getPortalURL", sb, themeDisplay.getPortalURL());
 		_renderMethod("getRealUserId", sb, themeDisplay.getRealUserId());
-		_renderMethod("getRemoteAddr", sb, themeDisplay.getRemoteAddr());
-		_renderMethod("getRemoteHost", sb, themeDisplay.getRemoteHost());
+
+		if (!liferayGlobalObjectConfiguration.disableGetRemoteMethods()) {
+			_renderMethod("getRemoteAddr", sb, themeDisplay.getRemoteAddr());
+			_renderMethod("getRemoteHost", sb, themeDisplay.getRemoteHost());
+		}
 
 		Group scopeGroup = themeDisplay.getScopeGroup();
 
@@ -751,6 +794,9 @@ else if (value instanceof String) {
 	@Reference
 	private AuthToken _authToken;
 
+	@Reference
+	private ConfigurationProvider _configurationProvider;
+
 	private final Map<Locale, String> _displayNames = new ConcurrentHashMap<>();
 
 	@Reference

modules/apps/portal-language/portal-language-lang/src/main/resources/content/Language.properties

@@ -6220,6 +6220,8 @@ disable-as-a-collection-provider-help=Disabling this as a collection provider wi
 disable-caching=Disable Caching
 disable-document-recording=Disable Document Recording
 disable-forwarding=Disable Forwarding
+disable-get-remote-methods=Disable getRemoteAddr() and getRemoteHost() methods
+disable-get-remote-methods-help=If checked, the methods getRemoteAddr() and getRemoteHost() will not be defined in the Liferay.ThemeDisplay global object. This may be useful if you are worried about revealing personal information or if you want to make pages for unauthenticated users publicly cacheable. However, it will make any code you deploy (that uses these methods) fail.
 disable-globally=Disable Multi-Factor Authentication
 disable-globally-description=Disable multi-factor authentication system-wide.
 disable-inheritance-confirmation=Disable Inheritance Confirmation
@@ -10778,6 +10780,7 @@ licenses-registered=Licenses Registered
 liferay=Liferay
 liferay-analytics-key=Liferay Analytics Key
 liferay-dxp-instance-has-to-be-connected-with-analytics-cloud-to-view-content-performance-metrics-and-build-a-successful-content-strategy=In order to view content performance metrics and build a successful content strategy, your Liferay DXP instance has to be connected with Liferay Analytics Cloud.
+liferay-global-object-configuration-name=Liferay Global Object
 liferay-has-failed-to-connect-to-the-ldap-server=Liferay has failed to connect to the LDAP server. Please check your configuration and verify that the LDAP server is running.
 liferay-has-failed-to-connect-to-the-opensso-server=Liferay has failed to connect to the OpenSSO server. Please check your configuration and verify that the OpenSSO server is running.
 liferay-has-failed-to-connect-to-the-opensso-services=Liferay has failed to connect to the OpenSSO services. Please verify that the OpenSSO services are running.