This is an automated email from the ASF dual-hosted git repository.
dixitdeepak pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new ec40fbc1fb Improved: Use framework permissions in SecurityUtilTest
(OFBIZ-13418) Updated SecurityUtilTest multi-level admin permission cases to
use framework permission prefixes such as SECURITY, COMMON, and ENTITY_DATA
instead of application/plugin examples.
ec40fbc1fb is described below
commit ec40fbc1fb3b1aede56ccdce823da8122cee3cfe
Author: Deepak Dixit <[email protected]>
AuthorDate: Tue May 26 18:55:42 2026 +0530
Improved: Use framework permissions in SecurityUtilTest (OFBIZ-13418)
Updated SecurityUtilTest multi-level admin permission cases to use
framework permission prefixes such as SECURITY, COMMON, and ENTITY_DATA instead
of application/plugin examples.
---
.../java/org/apache/ofbiz/security/CsrfUtil.java | 4 +--
.../org/apache/ofbiz/security/CsrfUtilTests.java | 28 +++++++++----------
.../apache/ofbiz/security/SecurityUtilTest.java | 31 +++++++++++++---------
3 files changed, 35 insertions(+), 28 deletions(-)
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
index 4ab9acf8df..b9009f69d1 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
@@ -136,11 +136,11 @@ public final class CsrfUtil {
}
String controlServletPart = "/control/"; // TODO remove with
OFBIZ-11229
if (requestUri.contains(controlServletPart)) {
- // e.g. "/partymgr/control/viewprofile" to "viewprofile"
+ // e.g. "/webtools/control/userprofile" to "userprofile"
requestUri =
requestUri.substring(requestUri.indexOf(controlServletPart) +
controlServletPart.length());
}
if (requestUri.startsWith("/")) {
- // e.g. "/viewprofile" to "viewprofile"
+ // e.g. "/userprofile" to "userprofile"
requestUri = requestUri.substring(1);
}
if (requestUri.contains("#")) {
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/CsrfUtilTests.java
b/framework/security/src/test/java/org/apache/ofbiz/security/CsrfUtilTests.java
index 13ceb0d638..cf7079a723 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/CsrfUtilTests.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/CsrfUtilTests.java
@@ -64,14 +64,14 @@ public class CsrfUtilTests {
when(session.getAttribute("userLogin")).thenReturn(userLogin);
// with userLogin in session, test token map is not retrieved from
session
- resultMap = CsrfUtil.getTokenMap(request, "/partymgr");
+ resultMap = CsrfUtil.getTokenMap(request, "/webtools");
assertNull(resultMap.get("uri_1"));
GenericValue otherUserLogin = mock(GenericValue.class);
when(otherUserLogin.getString("userLoginId")).thenReturn("other-test-user");
when(session.getAttribute("userLogin")).thenReturn(otherUserLogin);
- Map<String, String> otherUserResultMap = CsrfUtil.getTokenMap(request,
"/partymgr");
+ Map<String, String> otherUserResultMap = CsrfUtil.getTokenMap(request,
"/webtools");
assertNotSame(resultMap, otherUserResultMap);
}
@@ -89,11 +89,11 @@ public class CsrfUtilTests {
@Test
public void testGetRequestUriFromPath() {
- String requestUri =
CsrfUtil.getRequestUriFromPath("/viewprofile?partyId=Company");
- assertEquals("viewprofile", requestUri);
+ String requestUri =
CsrfUtil.getRequestUriFromPath("/editlogin?userLoginId=testuser");
+ assertEquals("editlogin", requestUri);
- requestUri =
CsrfUtil.getRequestUriFromPath("/partymgr/control/viewprofile");
- assertEquals("viewprofile", requestUri);
+ requestUri =
CsrfUtil.getRequestUriFromPath("/webtools/control/userprofile");
+ assertEquals("userprofile", requestUri);
requestUri =
CsrfUtil.getRequestUriFromPath("view/entityref_main#org.apache.ofbiz.accounting.budget");
assertEquals("view/entityref_main", requestUri);
@@ -222,23 +222,23 @@ public class CsrfUtilTests {
CsrfUtil.setTokenNameNonAjax("csrfToken");
// test link without csrfToken
- String url =
CsrfUtil.addOrUpdateTokenInUrl("https://localhost:8443/catalog/control/login";,
"abcd");
-
assertEquals("https://localhost:8443/catalog/control/login?csrfToken=abcd";,
url);
+ String url =
CsrfUtil.addOrUpdateTokenInUrl("https://localhost:8443/webtools/control/login";,
"abcd");
+
assertEquals("https://localhost:8443/webtools/control/login?csrfToken=abcd";,
url);
// test link with query string and without csrfToken
url = CsrfUtil.addOrUpdateTokenInUrl(
-
"https://localhost:8443/partymgr/control/visitdetail?visitId=10301";, "abcd");
+
"https://localhost:8443/webtools/control/editlogin?userLoginId=testuser";,
"abcd");
assertEquals(
-
"https://localhost:8443/partymgr/control/visitdetail?visitId=10301&csrfToken=abcd";,
+
"https://localhost:8443/webtools/control/editlogin?userLoginId=testuser&csrfToken=abcd";,
url);
// test link with csrfToken
- url =
CsrfUtil.addOrUpdateTokenInUrl("https://localhost:8443/catalog/control/login?csrfToken=abcd";,
"efgh");
-
assertEquals("https://localhost:8443/catalog/control/login?csrfToken=efgh";,
url);
+ url =
CsrfUtil.addOrUpdateTokenInUrl("https://localhost:8443/webtools/control/login?csrfToken=abcd";,
"efgh");
+
assertEquals("https://localhost:8443/webtools/control/login?csrfToken=efgh";,
url);
// test link with csrfToken amd empty csrfToken replacement
- url =
CsrfUtil.addOrUpdateTokenInUrl("https://localhost:8443/catalog/control/login?csrfToken=abcd";,
"");
-
assertEquals("https://localhost:8443/catalog/control/login?csrfToken=";, url);
+ url =
CsrfUtil.addOrUpdateTokenInUrl("https://localhost:8443/webtools/control/login?csrfToken=abcd";,
"");
+
assertEquals("https://localhost:8443/webtools/control/login?csrfToken=";, url);
}
@Test
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 13d6245fa6..57935e8c1d 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -36,6 +36,9 @@ import org.junit.Test;
public class SecurityUtilTest {
+ private static final List<String> FRAMEWORK_ADMIN_PERMISSIONS =
Arrays.asList(
+ "SECURITY", "COMMON", "ENTITY_DATA");
+
private Path tempHome;
private Path tempExternal;
private String previousOfbizHome;
@@ -111,28 +114,32 @@ public class SecurityUtilTest {
@Test
public void basicAdminPermissionTesting() {
- List<String> adminPermissions = Arrays.asList("PARTYMGR", "EXAMPLE",
"ACCTG_PREF");
-
assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"PARTYMGR_CREATE"));
-
assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"EXAMPLE_CREATE "));
-
assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"EXAMPLE_ADMIN"));
-
assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"ACCTG_ADMIN"));
+ assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(
+ FRAMEWORK_ADMIN_PERMISSIONS, "SECURITY_CREATE1"));
+ assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(
+ FRAMEWORK_ADMIN_PERMISSIONS, "COMMON_CREATE "));
+ assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(
+ FRAMEWORK_ADMIN_PERMISSIONS, "COMMON_ADMIN"));
+ assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(
+ FRAMEWORK_ADMIN_PERMISSIONS, "ENTITY_MAINT"));
}
@Test
public void multiLevelAdminPermissionTesting() {
- List<String> adminPermissions = Arrays.asList("PARTYMGR", "EXAMPLE",
"ACCTG_PREF");
-
assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"PARTYMGR_CME_CREATE"));
assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(
- adminPermissions, "EXAMPLE_WITH_MULTI_LEVEL_ADMIN"));
-
assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"ACCTG_ADMIN"));
+ FRAMEWORK_ADMIN_PERMISSIONS, "SECURITY_PWD_UPDATE"));
+ assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(
+ FRAMEWORK_ADMIN_PERMISSIONS, "ENTITY_DATA_UPDATE"));
+ assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(
+ FRAMEWORK_ADMIN_PERMISSIONS, "ENTITY_MAINT"));
}
@Test
public void multiLevelBadHierarchyPermissionTesting() {
- List<String> adminPermissions = Arrays.asList("PARTYMGR", "EXAMPLE",
"ACCTG_PREF");
assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(
- adminPermissions, "SPECIFIC_MULTI_LEVEL_EXAMPLE_VIEW"));
-
assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions,
"HOTDEP_PARTYMGR_ADMIN"));
+ FRAMEWORK_ADMIN_PERMISSIONS,
"SPECIFIC_MULTI_LEVEL_SECURITY_VIEW"));
+ assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(
+ FRAMEWORK_ADMIN_PERMISSIONS, "WEBTOOLS_ENTITY_DATA_ADMIN"));
}
}
