Skip to content
Browse files
Fixed: User depersonation do not clean out impersonated user session.

Thank you Leila Mekika for reporting and providing the patch.

git-svn-id: 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
gilPts committed Apr 23, 2019
1 parent 26a2a5f commit 9cec8c6443d4bd270d8f81f7eb0986d25235a09f
Showing with 5 additions and 1 deletion.
  1. +5 −1 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/
@@ -719,8 +719,9 @@ public static String depersonateLogin(HttpServletRequest request, HttpServletRes

//update the userLogin history, only one impersonation of this user can be active at the same time
GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
EntityCondition conditions = EntityCondition.makeCondition(
EntityCondition.makeCondition("userLoginId", ((GenericValue) session.getAttribute("userLogin")).get("userLoginId")),
EntityCondition.makeCondition("userLoginId", userLogin.get("userLoginId")),
EntityCondition.makeCondition("originUserLoginId", originUserLogin.get("userLoginId")),
try {
@@ -736,6 +737,9 @@ public static String depersonateLogin(HttpServletRequest request, HttpServletRes
return "error";

// Log out currentLogin to clean session
doBasicLogout(userLogin, request, response);

// Log back the impersonating user
return doMainLogin(request, response, originUserLogin, null);

0 comments on commit 9cec8c6

Please sign in to comment.