Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-21432

Security issue: Organization administrator can impersonate portal administrators

Details

    Description

      User with Organization administrator role can impersonate administrator portal and omniadmin users if they are members of his organization.

      Steps to reproduce:
      1- Create an organization "org1"
      2- Create an user "orgAdmin"
      3- Assign the role "Organization administrator" to "orgAdmin" on "org1"
      4- Create a portal administrator user "portalAdmin" (it would be important to also do one test with omniadmin users declared on portal-ext.properties)
      5- Assign "portalAdmin" to "org1" as member
      6- Log in as "orgAdmin"
      7- Go to Control Panel, users and organizations, "org1" and view members
      8- Impersonate "portalAdmin"

      The priority is minor because "portalAdmin" shouldn't be member of that organization.

      If "orgAdmin" is portal administrator should be able to impersonate any user.

      The following issue solved one similar case: LPS-5353

      Attachments

        Issue Links

          Activity

            People

              support-lep@liferay.com SE Support
              alberto.chaparro Alberto Chaparro
              Kiyoshi Lee Kiyoshi Lee
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                10 years, 29 weeks, 3 days ago

                Packages

                  Version Package