Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-125465

Searching users through the database ignores permissions

    Details

    • Fix Priority:
      3

      Description

      When we use the indexer in the BaseIndexer class, once we retrieve the hits we also filter them based on permissions to view said user. However, if we are searching without the indexer, we use the userFinder.findByKeywords() method, which queries the DB directly and doesn't perform and post-retrieval permission checking. Index searches are newer and used by default, so it's likely that permissions checking for database searches were overlooked.

      Steps to Reproduce
      1. Setup an Org Role and Regular role as follows:
      Regular Role
      Portal: View Control Panel Menu
      Users and Organizations: Access in Control Panel
      Users and Organizations: View

      Organization Role
      Users and Organizations: Access in Control Panel
      Users and Organizations: Permissions
      Users and Organizations: Preferences
      Users and Organizations: View
      Users and Organizations > Organization: Add Organization
      Users and Organizations > Organization: Assign Members
      Users and Organizations > Organization: Assign User Roles
      Users and Organizations > Organization: Manage Suborganizations
      Users and Organizations > Organization: Manage Users
      Users and Organizations > Organization: Update
      Users and Organizations > Organization: View
      Users and Organizations > Organization: View Members
      Users and Organizations > User: Impersonate
      Users and Organizations > User: Update
      Users and Organizations > User: View

      2. Create an Organization
      3. Create a user, called User A, assign him to the Organization as a member, and assign both roles to him
      4. Add several users and assign some of them as members of the same Organization.
      5. Login as User A and check the Users and Organizations -> Users tab
      Result: User A can see the users he has permissions to see.

      6. Shutdown Liferay
      7. Add users.search.with.index=false to your portal-ext.properties.
      8. Start Liferay
      9. Login as User A and check the Users and Organizations -> Users tab
      Result: User A can see all users.

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            christopher.lui Christopher Lui
            Participants of an Issue:
            Recent user:
            Eduardo Zoby
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Days since last comment:
              36 weeks ago

                Packages

                Version Package