Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-135868

Discussion adds wrong username when adding a comment while impersonating someone

Details

    Description

      In the case of certain users, when impersonating them and writing a comment in an asset publisher, the comment is saved with author Test Test (the impersonator) and a warning like "Unable to impersonate jtP9LViCzpjvR ip/Dr1Ng== because the string cannot be decrypted" in the logs.

      The ecrypted userid string is created based on the company's key (companyinfo table) and the user's userid:
      https://github.com/liferay/liferay-portal-ee/blob/7.3.x/util-taglib/src/com/liferay/taglib/security/DoAsURLTag.java#L61

      It can happen that this encryption adds a + sign.
      In our example it's: http://localhost:8080/web/guest?doAsUserId=jtP9LViCzpjvR%2Bip%2FDr1Ng%3D%3D

      The jtP9LViCzpjvR%2Bip%2FDr1Ng%3D%3D userid is created based on
      key:
      F+Sct0NjJerFjp9sk2JLIQ==

      userid: 38080

      Preparation for the reproduction:
      Run this script to create the user with the above mentioned userid:

      import com.liferay.portal.kernel.service.UserLocalServiceUtil;
      import com.liferay.portal.kernel.model.User;
      import com.liferay.counter.kernel.service.CounterLocalServiceUtil;
      import com.liferay.portal.kernel.service.ContactLocalServiceUtil;
      import com.liferay.portal.kernel.model.Contact;
      import java.util.Locale;
      import java.util.Map;
      import com.liferay.portal.kernel.service.GroupLocalServiceUtil;
      
      long userId = 38080;
      
      User funnyBug = UserLocalServiceUtil.createUser(userId);
      
      funnyBug.setScreenName("funnyBug");
      funnyBug.setFirstName("funny");
      funnyBug.setLastName("Bug");
      funnyBug.setEmailAddress("[email protected]");
      funnyBug.setLanguageId("en_US");
      funnyBug.setContactId(CounterLocalServiceUtil.increment());
      
      Contact contact = ContactLocalServiceUtil.createContact(funnyBug.getContactId());
      
        contact.setCompanyId(funnyBug.getCompanyId());
        contact.setClassName(User.class.getName());
        contact.setClassPK(funnyBug.getUserId());
      
        contact.setParentContactId(0);
        contact.setEmailAddress(funnyBug.getEmailAddress());
      
      try {
       UserLocalServiceUtil.addUser(funnyBug);
       ContactLocalServiceUtil.addContact(contact);
       
            GroupLocalServiceUtil.addGroup(
            funnyBug.getUserId(), 0,
            User.class.getName(), funnyBug.getUserId(),
            0, (Map<Locale, String>)null,
            null, 0, true, 0,
            "//funnyBug", false, true, null);
       
      }
      catch(Exception e){
       e.printStackTrace();
      }
      

      Run this script to change the company's key (don't forget to change the companyInfoId if needed):

      import com.liferay.portal.kernel.service.CompanyInfoLocalServiceUtil;
      import com.liferay.portal.kernel.model.CompanyInfo;
      
      long companyInfoId = 20101;
      CompanyInfo companyInfo = CompanyInfoLocalServiceUtil.getCompanyInfo(companyInfoId);
      
      companyInfo.setKey("F+Sct0NjJerFjp9sk2JLIQ==");
      
      CompanyInfoLocalServiceUtil.updateCompanyInfo(companyInfo);
      

      Reproduction steps:
      1) Add a web content
      2) Add an Asset Publisher to a page and enable comments
      3) Add the user to the site
      4) Impersonate the user and add a comment
      Result:
      The comment is created under the admin's name, and there is a WARN in the log:
      Unable to impersonate jtP9LViCzpjvR ip/Dr1Ng== because the string cannot be decrypted
      Notice the missing plus sign.

      7.3.x: reproduced
      Master: reproduced (in addition to the warning, there was also a long stack trace logged)

      Attachments

        Activity

          People

            beck.liu Beck Liu
            istvan.dezsi Istvan Dezsi
            Kiyoshi Lee Kiyoshi Lee
            Istvan Dezsi Istvan Dezsi
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              1 year, 19 weeks, 1 day ago

              Packages

                Version Package
                7.2.10 DXP FP17
                7.2.10.6 DXP SP6
                7.2.X
                7.3.10.3 DXP SP3
                7.3.X
                7.4.2 CE GA3 DXP 7,4
                7.4.13 DXP GA1
                7.4.3.5 CE GA5
                7.4.13 DXP U1
                Master