Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-49848

User is shown a RequiredUserException instead of a PrincipalException when attempting to steal an admin account

    Details

    • Fix Priority:
      5

      Description

      Steps to reproduce:
      1. Sign in
      2. Hit http://localhost:8080/api/jsonws
      3. Click the first 'add-address' service
      4. Copy the pAuth value
      5. Hit http://localhost:8080/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=updateStatus&serviceParameters=[userId,status]&userId=10202&status=6&p_auth=[[paste pAuth value here]]

      Expected result:

      {"message":"com.liferay.portal.security.auth.PrincipalException","exception":"com.liferay.portal.security.auth.PrincipalException"}

      Actual result:

      {"throwable":"com.liferay.portal.RequiredUserException","error":{"message":"com.liferay.portal.RequiredUserException","type":"com.liferay.portal.RequiredUserException"},"exception":"com.liferay.portal.RequiredUserException"}

        Attachments

          Activity

            People

            Assignee:
            cristina.gonzalez Cristina Gonzalez
            Reporter:
            robert.srisamang Robert Srisam-ang (Inactive)
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              5 years, 7 weeks, 1 day ago

                Packages

                Version Package