Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-70662

Misleading tooltip in Source column when viewing a portal property that has been obfuscated

    Details

      Description

      Description
      If you use the portal property admin.obfuscated.properties to obfuscate a portal property, and then override that property with the Control Panel, the incorrect tooltip will be displayed in the Source column. The tooltip will claim that the value of the property is derived from the portal.properties file or one of its extensions. If an admin has access to portal-ext.properties and wishes to know the value of this property, they will believe that can discover the value of the property by simply looking inside portal-ext.properties. This will cause them to mistakenly believe that they know the value of the property, when, in fact, they do not.

      Steps to Reproduce

      1. Add the following line to portal-ext.properties:
        admin.obfuscated.properties=jdbc.default.password,company.security.send.password
        
      2. Start up the portal and log in as the admin user.
      3. Navigate to Control Panel > Configuration > Instance Settings > Authentication.
      4. Uncheck the "Allow users to request forgotten passwords?" box and save the configuration.
      5. Navigate to Control Panel > Configuration > Server Administration > Properties > Portal Properties.
      6. Search for "company.security.send.password".
      7. Hover over and read the tooltip in the Source column

      Expected result: The tooltip says that the value of the property has been overridden by the Control Panel.
      Actual result: The tooltip says that the value of the property was derived from portal.properties or one of its extension files.

      Reproduced in
      master (7cbe6dd7f4c96b9b5e4250f7003c32ddc34414c0)
      ee-7.0.x (3f09681cf6eaa15b88560a1dd1efd61b9794e998)
      Not reproduced in ee-6.2.x because LPS-70340 has not been committed to ee-6.2.x yet. Once this fix gets committed, we will backport it to ee-6.2.x together with LPS-70340.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                hong.zhao Hong Zhao
                Reporter:
                michael.bowerman Michael Bowerman (Inactive)
                Participants of an Issue:
                Recent user:
                Csaba Turcsan
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  2 years, 37 weeks, 1 day ago

                  Packages

                  Version Package
                  6.2.X EE
                  7.0.0 DXP SP2
                  7.0.0 DXP FP13
                  7.0.0 DXP SP3
                  7.0.3 CE GA4
                  7.1.X
                  Master