Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-49848

User is shown a RequiredUserException instead of a PrincipalException when attempting to steal an admin account

Details

    • 5
    • Regression Bug

    Description

      Steps to reproduce:
      1. Sign in
      2. Hit http://localhost:8080/api/jsonws
      3. Click the first 'add-address' service
      4. Copy the pAuth value
      5. Hit http://localhost:8080/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=updateStatus&serviceParameters=[userId,status]&userId=10202&status=6&p_auth=[[paste pAuth value here]]

      Expected result:

      {"message":"com.liferay.portal.security.auth.PrincipalException","exception":"com.liferay.portal.security.auth.PrincipalException"}

      Actual result:

      {"throwable":"com.liferay.portal.RequiredUserException","error":{"message":"com.liferay.portal.RequiredUserException","type":"com.liferay.portal.RequiredUserException"},"exception":"com.liferay.portal.RequiredUserException"}

      Attachments

        Activity

          People

            cristina.gonzalez Cristina Gonzalez
            robert.srisamang Robert Srisam-ang (Inactive)
            Marta Elicegui Marta Elicegui
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              6 years, 37 weeks, 6 days ago

              Packages

                Version Package