Skip to content
Permalink
Browse files

Fixed: User depersonation do not clean out impersonated user session.

(OFBIZ-10942)

Thank you Leila Mekika for reporting and providing the patch.


git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1857991 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
gilPts committed Apr 23, 2019
1 parent 26a2a5f commit 9cec8c6443d4bd270d8f81f7eb0986d25235a09f
@@ -719,8 +719,9 @@ public static String depersonateLogin(HttpServletRequest request, HttpServletRes
}

//update the userLogin history, only one impersonation of this user can be active at the same time
GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
EntityCondition conditions = EntityCondition.makeCondition(
EntityCondition.makeCondition("userLoginId", ((GenericValue) session.getAttribute("userLogin")).get("userLoginId")),
EntityCondition.makeCondition("userLoginId", userLogin.get("userLoginId")),
EntityCondition.makeCondition("originUserLoginId", originUserLogin.get("userLoginId")),
EntityUtil.getFilterByDateExpr());
try {
@@ -736,6 +737,9 @@ public static String depersonateLogin(HttpServletRequest request, HttpServletRes
return "error";
}

// Log out currentLogin to clean session
doBasicLogout(userLogin, request, response);

// Log back the impersonating user
return doMainLogin(request, response, originUserLogin, null);
}

0 comments on commit 9cec8c6

Please sign in to comment.
You can’t perform that action at this time.