is currently readonly. We are migrating to, please continue working there on Monday 14/12. See:

Commit 981a89fa authored by Jeroen Hoffman's avatar Jeroen Hoffman

REPO-1927 [Back port to 11.2] SecurityManager doesn't sanitize userId in case...

REPO-1927 [Back port to 11.2] SecurityManager doesn't sanitize userId in case of external providers to get memberships
- sanitize user id
parent dcdb52dc
* Copyright 2008-2013 Hippo B.V. (
* Copyright 2008-2018 Hippo B.V. (
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -362,10 +362,11 @@ public class SecurityManager implements HippoSecurityManager {
private Set<String> getMemberships(String rawUserId, String providerId) {
try {
final String sanitizedUserId = sanitizeUserId(rawUserId, providerId);
if (providers.containsKey(providerId)) {
return providers.get(providerId).getGroupManager().getMembershipIds(rawUserId);
return providers.get(providerId).getGroupManager().getMembershipIds(sanitizedUserId);
} else {
return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizeUserId(rawUserId, providerId));
return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizedUserId);
} catch (RepositoryException e) {
log.warn("Unable to get memberships for userId: " + rawUserId, e);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment