Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-135868

Discussion adds wrong username when adding a comment while impersonating someone

    Details

      Description

      In the case of certain users, when impersonating them and writing a comment in an asset publisher, the comment is saved with author Test Test (the impersonator) and a warning like "Unable to impersonate jtP9LViCzpjvR ip/Dr1Ng== because the string cannot be decrypted" in the logs.

      The ecrypted userid string is created based on the company's key (companyinfo table) and the user's userid:
      https://github.com/liferay/liferay-portal-ee/blob/7.3.x/util-taglib/src/com/liferay/taglib/security/DoAsURLTag.java#L61

      It can happen that this encryption adds a + sign.
      In our example it's: http://localhost:8080/web/guest?doAsUserId=jtP9LViCzpjvR%2Bip%2FDr1Ng%3D%3D

      The jtP9LViCzpjvR%2Bip%2FDr1Ng%3D%3D userid is created based on
      key:
      F+Sct0NjJerFjp9sk2JLIQ==

      userid: 38080

      Preparation for the reproduction:
      Run this script to create the user with the above mentioned userid:

      import com.liferay.portal.kernel.service.UserLocalServiceUtil;
      import com.liferay.portal.kernel.model.User;
      import com.liferay.counter.kernel.service.CounterLocalServiceUtil;
      import com.liferay.portal.kernel.service.ContactLocalServiceUtil;
      import com.liferay.portal.kernel.model.Contact;
      import java.util.Locale;
      import java.util.Map;
      import com.liferay.portal.kernel.service.GroupLocalServiceUtil;
      
      long userId = 38080;
      
      User funnyBug = UserLocalServiceUtil.createUser(userId);
      
      funnyBug.setScreenName("funnyBug");
      funnyBug.setFirstName("funny");
      funnyBug.setLastName("Bug");
      funnyBug.setEmailAddress("[email protected]");
      funnyBug.setLanguageId("en_US");
      funnyBug.setContactId(CounterLocalServiceUtil.increment());
      
      Contact contact = ContactLocalServiceUtil.createContact(funnyBug.getContactId());
      
        contact.setCompanyId(funnyBug.getCompanyId());
        contact.setClassName(User.class.getName());
        contact.setClassPK(funnyBug.getUserId());
      
        contact.setParentContactId(0);
        contact.setEmailAddress(funnyBug.getEmailAddress());
      
      try {
       UserLocalServiceUtil.addUser(funnyBug);
       ContactLocalServiceUtil.addContact(contact);
       
            GroupLocalServiceUtil.addGroup(
            funnyBug.getUserId(), 0,
            User.class.getName(), funnyBug.getUserId(),
            0, (Map<Locale, String>)null,
            null, 0, true, 0,
            "//funnyBug", false, true, null);
       
      }
      catch(Exception e){
       e.printStackTrace();
      }
      

      Run this script to change the company's key (don't forget to change the companyInfoId if needed):

      import com.liferay.portal.kernel.service.CompanyInfoLocalServiceUtil;
      import com.liferay.portal.kernel.model.CompanyInfo;
      
      long companyInfoId = 20101;
      CompanyInfo companyInfo = CompanyInfoLocalServiceUtil.getCompanyInfo(companyInfoId);
      
      companyInfo.setKey("F+Sct0NjJerFjp9sk2JLIQ==");
      
      CompanyInfoLocalServiceUtil.updateCompanyInfo(companyInfo);
      

      Reproduction steps:
      1) Add a web content
      2) Add an Asset Publisher to a page and enable comments
      3) Add the user to the site
      4) Impersonate the user and add a comment
      Result:
      The comment is created under the admin's name, and there is a WARN in the log:
      Unable to impersonate jtP9LViCzpjvR ip/Dr1Ng== because the string cannot be decrypted
      Notice the missing plus sign.

      7.3.x: reproduced
      Master: reproduced (in addition to the warning, there was also a long stack trace logged)

        Attachments

          Activity

            People

            Assignee:
            beck.liu Beck Liu
            Reporter:
            istvan.dezsi Istvan Dezsi
            Participants of an Issue:
            Recent user:
            Enterprise Release HU
            Engineering Assignee:
            Istvan Dezsi
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              11 weeks, 6 days ago

                Packages

                Version Package
                7.3.X
                7.4.2 CE GA3 DXP 7,4
                Master