introspection permissions
I noticed that only one of the two introspection methods checks the whitelist. And the portal calls the other one :( Setting the introspection setting to true makes the portal work.
I also wonder if the whitelist works in the first place, since it compares a well-known name to what get_sender() returns. And I would expect get_sender to return a unique name.