Type: Regression Bug
Affects Version/s: 7.0.0 DXP SP2, Master
Component/s: Control Panel Framework
If you use the portal property admin.obfuscated.properties to obfuscate a portal property, and then override that property with the Control Panel, the incorrect tooltip will be displayed in the Source column. The tooltip will claim that the value of the property is derived from the portal.properties file or one of its extensions. If an admin has access to portal-ext.properties and wishes to know the value of this property, they will believe that can discover the value of the property by simply looking inside portal-ext.properties. This will cause them to mistakenly believe that they know the value of the property, when, in fact, they do not.
Steps to Reproduce
- Add the following line to portal-ext.properties:
- Start up the portal and log in as the admin user.
- Navigate to Control Panel > Configuration > Instance Settings > Authentication.
- Uncheck the "Allow users to request forgotten passwords?" box and save the configuration.
- Navigate to Control Panel > Configuration > Server Administration > Properties > Portal Properties.
- Search for "company.security.send.password".
- Hover over and read the tooltip in the Source column
Expected result: The tooltip says that the value of the property has been overridden by the Control Panel.
Actual result: The tooltip says that the value of the property was derived from portal.properties or one of its extension files.
Not reproduced in ee-6.2.x because LPS-70340 has not been committed to ee-6.2.x yet. Once this fix gets committed, we will backport it to ee-6.2.x together with LPS-70340.