Jeroen Hoffman pushed to branch release/4.2 at cms-community / hippo-repository
Commits: 981a89fa by Jeroen Hoffman at 2018-01-16T12:36:40+01:00 REPO-1927 [Back port to 11.2] SecurityManager doesn't sanitize userId in case of external providers to get memberships - sanitize user id - - - - - 1 changed file: - engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java Changes: ===================================== engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java ===================================== --- a/engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java +++ b/engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2008-2013 Hippo B.V. (http://www.onehippo.com) + * Copyright 2008-2018 Hippo B.V. (http://www.onehippo.com) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -362,10 +362,11 @@ public class SecurityManager implements HippoSecurityManager { */ private Set<String> getMemberships(String rawUserId, String providerId) { try { + final String sanitizedUserId = sanitizeUserId(rawUserId, providerId); if (providers.containsKey(providerId)) { - return providers.get(providerId).getGroupManager().getMembershipIds(rawUserId); + return providers.get(providerId).getGroupManager().getMembershipIds(sanitizedUserId); } else { - return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizeUserId(rawUserId, providerId)); + return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizedUserId); } } catch (RepositoryException e) { log.warn("Unable to get memberships for userId: " + rawUserId, e); View it on GitLab: https://code.onehippo.org/cms-community/hippo-repository/commit/981a89fad7a30c81d4acba8f3ac4c19f260c97c1 --- View it on GitLab: https://code.onehippo.org/cms-community/hippo-repository/commit/981a89fad7a30c81d4acba8f3ac4c19f260c97c1 You're receiving this email because of your account on code.onehippo.org.
_______________________________________________ Hippocms-svn mailing list Hippocms-svn@lists.onehippo.org https://lists.onehippo.org/mailman/listinfo/hippocms-svn