details: https://code.openbravo.com/erp/devel/pi/rev/4fd058dfb0fd
changeset: 31571:4fd058dfb0fd
user: Carlos Aristu <carlos.aristu <at> openbravo.com>
date: Wed Mar 01 18:29:35 2017 +0100
summary: fixes issue 35397: Check readable clients for child properties using
DAL WS
Fix for issue #29683 was introducing a security check to avoid showing child
properties which belong to a client different from the current client. But this
fix was preventing to display some readable objects like master data defined at
system level (client 0).
Therefore this security check has been improved and now it is verified if the
child property is defined for a client which is readable for the current role.
diffstat:
src/org/openbravo/dal/xml/EntityXMLConverter.java | 27 ++++++++++++++++------
src/org/openbravo/service/rest/DalWebService.java | 4 ++-
2 files changed, 22 insertions(+), 9 deletions(-)
diffs (108 lines):
diff -r 68702618a590 -r 4fd058dfb0fd
src/org/openbravo/dal/xml/EntityXMLConverter.java
--- a/src/org/openbravo/dal/xml/EntityXMLConverter.java Tue Feb 28 14:56:32
2017 -0500
+++ b/src/org/openbravo/dal/xml/EntityXMLConverter.java Wed Mar 01 18:29:35
2017 +0100
@@ -11,7 +11,7 @@
* under the License.
* The Original Code is Openbravo ERP.
* The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2008-2015 Openbravo SLU
+ * All portions are Copyright (C) 2008-2017 Openbravo SLU
* All Rights Reserved.
* Contributor(s): ______________________________________.
************************************************************************
@@ -37,6 +37,7 @@
import javax.xml.transform.sax.TransformerHandler;
import javax.xml.transform.stream.StreamResult;
+import org.apache.commons.lang.ArrayUtils;
import org.apache.log4j.Logger;
import org.hibernate.ScrollableResults;
import org.openbravo.base.model.Entity;
@@ -119,6 +120,10 @@
// only export references which belong to this client
private Client client;
+ // child properties are exported if they are defined for a client whose ID
is included in
+ // readableClients (if it has been set)
+ private String[] readableClients;
+
// if the system attributes (version, timestamp, etc.) are added to
// to the root element, for testcases it makes sense to not have this
// to compare previous output results with new output results
@@ -474,7 +479,7 @@
for (final Object o : childObjects) {
// embed in the parent
if (isOptionEmbedChildren()) {
- if (objectBelongsToCurrentClient((BaseOBObject) o)) {
+ if (objectBelongsToReadableClient((BaseOBObject) o)) {
final DataSetTable dst = (getDataSet() != null &&
obObject.getEntity() != null) ? dataSetTablesByEntity
.get(obObject.getEntity()) : null;
if ((excludeAuditInfo != null && excludeAuditInfo)
@@ -588,7 +593,7 @@
protected void addToExportList(BaseOBObject bob) {
// only export references if belonging to the current client
- if (!objectBelongsToCurrentClient(bob)) {
+ if (!objectBelongsToReadableClient(bob)) {
return;
}
@@ -600,12 +605,14 @@
allToProcessObjects.add(bob);
}
- private boolean objectBelongsToCurrentClient(BaseOBObject bob) {
- Client currentClient = getClient();
- if (currentClient != null && bob instanceof ClientEnabled) {
- String currentClientId = currentClient.getId();
+ private boolean objectBelongsToReadableClient(BaseOBObject bob) {
+ if (bob instanceof ClientEnabled) {
String bobClientId = ((ClientEnabled) bob).getClient().getId();
- return currentClientId.equals(bobClientId);
+ if (readableClients != null) {
+ return ArrayUtils.contains(readableClients, bobClientId);
+ } else if (client != null) {
+ return bobClientId.equals(client.getId());
+ }
}
return true;
}
@@ -794,6 +801,10 @@
this.client = client;
}
+ public void setReadableClients(String[] readableClients) {
+ this.readableClients = readableClients;
+ }
+
public boolean isOptionExportAuditInfo() {
return optionExportAuditInfo;
}
diff -r 68702618a590 -r 4fd058dfb0fd
src/org/openbravo/service/rest/DalWebService.java
--- a/src/org/openbravo/service/rest/DalWebService.java Tue Feb 28 14:56:32
2017 -0500
+++ b/src/org/openbravo/service/rest/DalWebService.java Wed Mar 01 18:29:35
2017 +0100
@@ -11,7 +11,7 @@
* under the License.
* The Original Code is Openbravo ERP.
* The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2008-2016 Openbravo SLU
+ * All portions are Copyright (C) 2008-2017 Openbravo SLU
* All Rights Reserved.
* Contributor(s): ______________________________________.
************************************************************************
@@ -206,6 +206,7 @@
addSelectedPropertiesToEXC(exc,
request.getParameter(PARAMETER_PROPERTIES), entity);
}
exc.setClient(OBContext.getOBContext().getCurrentClient());
+
exc.setReadableClients(OBContext.getOBContext().getReadableClients());
exc.setOptionEmbedChildren(true);
exc.setOptionIncludeChildren(includeChildren);
exc.setOptionIncludeReferenced(false);
@@ -244,6 +245,7 @@
final StringWriter sw = new StringWriter();
final EntityXMLConverter exc = EntityXMLConverter.newInstance();
exc.setClient(OBContext.getOBContext().getCurrentClient());
+ exc.setReadableClients(OBContext.getOBContext().getReadableClients());
exc.setOptionEmbedChildren(true);
exc.setOptionIncludeChildren(includeChildren);
exc.setOptionIncludeReferenced(false);
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits
