-
Type:
Bug
-
Status: Verified
-
Resolution: Unresolved
-
Affects Version/s: 7.2.10 DXP GA1, 7.2.X, 7.3.X, 7.3.10 DXP GA1, Master
-
Fix Version/s: None
-
Component/s: User Management > Roles
-
Labels:None
-
Fix Priority:3
When we use the indexer in the BaseIndexer class, once we retrieve the hits we also filter them based on permissions to view said user. However, if we are searching without the indexer, we use the userFinder.findByKeywords() method, which queries the DB directly and doesn't perform and post-retrieval permission checking. Index searches are newer and used by default, so it's likely that permissions checking for database searches were overlooked.
Steps to Reproduce
1. Setup an Org Role and Regular role as follows:
Regular Role
Portal: View Control Panel Menu
Users and Organizations: Access in Control Panel
Users and Organizations: View
Organization Role
Users and Organizations: Access in Control Panel
Users and Organizations: Permissions
Users and Organizations: Preferences
Users and Organizations: View
Users and Organizations > Organization: Add Organization
Users and Organizations > Organization: Assign Members
Users and Organizations > Organization: Assign User Roles
Users and Organizations > Organization: Manage Suborganizations
Users and Organizations > Organization: Manage Users
Users and Organizations > Organization: Update
Users and Organizations > Organization: View
Users and Organizations > Organization: View Members
Users and Organizations > User: Impersonate
Users and Organizations > User: Update
Users and Organizations > User: View
2. Create an Organization
3. Create a user, called User A, assign him to the Organization as a member, and assign both roles to him
4. Add several users and assign some of them as members of the same Organization.
5. Login as User A and check the Users and Organizations -> Users tab
Result: User A can see the users he has permissions to see.
6. Shutdown Liferay
7. Add users.search.with.index=false to your portal-ext.properties.
8. Start Liferay
9. Login as User A and check the Users and Organizations -> Users tab
Result: User A can see all users.