Jeroen Hoffman pushed to branch release/5.1 at cms-community / hippo-repository
Commits: b3560a0b by Jeroen Hoffman at 2018-01-16T12:29:20+01:00 REPO-1925 [Back port to 12.1] SecurityManager doesn't sanitize userId in case of external providers to get memberships - sanitize user id - - - - - 1 changed file: - engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java Changes: ===================================== engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java ===================================== --- a/engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java +++ b/engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2008-2013 Hippo B.V. (http://www.onehippo.com) + * Copyright 2008-2018 Hippo B.V. (http://www.onehippo.com) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -362,10 +362,11 @@ public class SecurityManager implements HippoSecurityManager { */ private Set<String> getMemberships(String rawUserId, String providerId) { try { + final String sanitizedUserId = sanitizeUserId(rawUserId, providerId); if (providers.containsKey(providerId)) { - return providers.get(providerId).getGroupManager().getMembershipIds(rawUserId); + return providers.get(providerId).getGroupManager().getMembershipIds(sanitizedUserId); } else { - return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizeUserId(rawUserId, providerId)); + return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizedUserId); } } catch (RepositoryException e) { log.warn("Unable to get memberships for userId: " + rawUserId, e); View it on GitLab: https://code.onehippo.org/cms-community/hippo-repository/commit/b3560a0be1f02acb21cca463055f62e2dfeaa751 --- View it on GitLab: https://code.onehippo.org/cms-community/hippo-repository/commit/b3560a0be1f02acb21cca463055f62e2dfeaa751 You're receiving this email because of your account on code.onehippo.org.
_______________________________________________ Hippocms-svn mailing list Hippocms-svn@lists.onehippo.org https://lists.onehippo.org/mailman/listinfo/hippocms-svn