-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 6.1.X EE, 6.2.X EE, 7.0.0 M5
-
Fix Version/s: 6.1.X EE, 6.2.4 CE GA5, 6.2.X EE, 7.0.0 M5
-
Component/s: Core Infrastructure > Permissions, Security Vulnerability
-
Branch Version/s:6.2.x, 6.1.x
-
Backported to Branch:Committed
-
Story Points:15
-
Fix Priority:4
-
Git Pull Request:
- Set the following in portal-ext.properties
hibernate.show_sql=true layout.user.private.layouts.enabled=false layout.user.public.layouts.enabled=false
- Start a clean Liferay bundle
- Sign in as the omni-admin
- Remove the Power User role from the omni-admin user
- Visit the guest site and refresh the page
Expected behavior is that since everything is cached, no queries will run. Actual behavior is that Liferay repeatedly checks for the Power User role, which can be seen by the following query printing to the console every time the page is refreshed.
Hibernate: ( SELECT Groups_Roles.roleId FROM Groups_Roles INNER JOIN Group_ ON (Group_.groupId = Groups_Roles.groupId) INNER JOIN Users_Orgs ON (Users_Orgs.organizationId = Group_.classPK) WHERE (Groups_Roles.roleId = ?) AND (Users_Orgs.userId = ?) ) UNION ( SELECT Groups_Roles.roleId FROM Groups_Roles INNER JOIN Groups_Orgs ON (Groups_Orgs.groupId = Groups_Roles.groupId) INNER JOIN Users_Orgs ON (Users_Orgs.organizationId = Groups_Orgs.organizationId) WHERE (Groups_Roles.roleId = ?) AND (Users_Orgs.userId = ?) ) UNION ( SELECT Groups_Roles.roleId FROM Groups_Roles INNER JOIN Users_Groups ON (Users_Groups.groupId = Groups_Roles.groupId) WHERE (Groups_Roles.roleId = ?) AND (Users_Groups.userId = ?) ) UNION ( SELECT Users_Roles.roleId FROM Users_Roles WHERE (Users_Roles.roleId = ?) AND (Users_Roles.userId = ?) ) UNION ( SELECT Groups_Roles.roleId FROM Groups_Roles INNER JOIN Group_ ON (Group_.groupId = Groups_Roles.groupId) INNER JOIN Users_UserGroups ON (Users_UserGroups.userGroupId = Group_.classPK) WHERE (Groups_Roles.roleId = ?) AND (Users_UserGroups.userId = ?) ) UNION ( SELECT Groups_Roles.roleId FROM Groups_Roles INNER JOIN Groups_UserGroups ON (Groups_UserGroups.groupId = Groups_Roles.groupId) INNER JOIN Users_UserGroups ON (Users_UserGroups.userGroupId = Groups_UserGroups.userGroupId) WHERE (Groups_Roles.roleId = ?) AND (Users_UserGroups.userId = ?) )
Similar behavior happens for non-administrator users when checking whether the user has the Administrator role.