Author: pgil
Date: Tue Apr 23 07:31:29 2019
New Revision: 1857992
URL:
http://svn.apache.org/viewvc?rev=1857992&view=revLog:
Fixed: User depersonation do not clean out impersonated user session.
(OFBIZ-10942)
Thank you Leila Mekika for reporting and providing the patch.
Modified:
ofbiz/ofbiz-framework/branches/release18.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
Modified: ofbiz/ofbiz-framework/branches/release18.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release18.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1857992&r1=1857991&r2=1857992&view=diff==============================================================================
--- ofbiz/ofbiz-framework/branches/release18.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/ofbiz-framework/branches/release18.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java Tue Apr 23 07:31:29 2019
@@ -716,8 +716,9 @@ public class LoginWorker {
}
//update the userLogin history, only one impersonation of this user can be active at the same time
+ GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
EntityCondition conditions = EntityCondition.makeCondition(
- EntityCondition.makeCondition("userLoginId", ((GenericValue) session.getAttribute("userLogin")).get("userLoginId")),
+ EntityCondition.makeCondition("userLoginId", userLogin.get("userLoginId")),
EntityCondition.makeCondition("originUserLoginId", originUserLogin.get("userLoginId")),
EntityUtil.getFilterByDateExpr());
try {
@@ -733,6 +734,9 @@ public class LoginWorker {
return "error";
}
+ // Log out currentLogin to clean session
+ doBasicLogout(userLogin, request, response);
+
// Log back the impersonating user
return doMainLogin(request, response, originUserLogin, null);
}