Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-41555

ThemeDisplay.getDoAsUserId() should return null if ThemeDisplay.isImpersonated() is false

    Details

      Description

      In normal conditions, when a loginUser impersonates others by clicking the option of “Impersonate User”, the return value of ThemeDisplay.isImpersonated() is true. Then ThemeDisplay.getDoAsUserId() returns the value of “doAsUserId”.

      However, if a user without permission to impersonate others is attempting to do this thing by stealing the URL, ThemeDisplay.isImpersonated() is false. In this case, doAsUserId should be removed from ThemeDisplay to make it more secure.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            sunny.pang Sunny Pang (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package