Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-21432

Security issue: Organization administrator can impersonate portal administrators

    Details

      Description

      User with Organization administrator role can impersonate administrator portal and omniadmin users if they are members of his organization.

      Steps to reproduce:
      1- Create an organization "org1"
      2- Create an user "orgAdmin"
      3- Assign the role "Organization administrator" to "orgAdmin" on "org1"
      4- Create a portal administrator user "portalAdmin" (it would be important to also do one test with omniadmin users declared on portal-ext.properties)
      5- Assign "portalAdmin" to "org1" as member
      6- Log in as "orgAdmin"
      7- Go to Control Panel, users and organizations, "org1" and view members
      8- Impersonate "portalAdmin"

      The priority is minor because "portalAdmin" shouldn't be member of that organization.

      If "orgAdmin" is portal administrator should be able to impersonate any user.

      The following issue solved one similar case: LPS-5353

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              alberto.chaparro Alberto Chaparro
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                9 years, 36 weeks, 3 days ago

                  Packages

                  Version Package