You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2015/09/13 10:33:03 UTC
svn commit: r1702705 - in /ofbiz/branches/release14.12: ./
applications/content/script/org/ofbiz/content/content/
applications/order/script/org/ofbiz/order/quote/
applications/order/script/org/ofbiz/order/requirement/
applications/party/config/
Author: jleroux
Date: Sun Sep 13 08:33:03 2015
New Revision: 1702705
URL: http://svn.apache.org/r1702705
Log:
"Applied fix from trunk for revision: 1702704 "
------------------------------------------------------------------------
r1702704 | jleroux | 2015-09-13 10:31:55 +0200 (dim. 13 sept. 2015) | 19 lignes
A patch for "createQuoteRole, createContentRole, and createRequirementRole allow for adding Roles to a Party without permissions" https://issues.apache.org/jira/browse/OFBIZ-6605
Rerported by Forrest Rae:
The following functions automatically add a PartyRole entry if the PartyRole does not exist. This is possible even when the userLogin doesn't have PARTYMGR_UPDATE or PARTYMGR_CREATE.
createQuoteRole
createContentRole
createRequirementRole
Repo:
1) Remove PARTYMGR_UPDATE or PARTYMGR_CREATE permissions from the ORDERENTRY group.
2) Login as DemoRepStore
3) Create a Quote
4) Add a QuoteRole with partyId of DemoRepStore and Role of your choosing.
5) View DemoRepStore roles.
This is a security problem for anyone building component that leverages Role based security.
jleroux: simple solution, check before creating the new role the user has PARTYMGR_UPDATE or PARTYMGR_CREATE.
------------------------------------------------------------------------
�
Modified:
ofbiz/branches/release14.12/ (props changed)
ofbiz/branches/release14.12/applications/content/script/org/ofbiz/content/content/ContentServices.xml
ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
ofbiz/branches/release14.12/applications/party/config/PartyErrorUiLabels.xml
Propchange: ofbiz/branches/release14.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Sep 13 08:33:03 2015
@@ -8,4 +8,4 @@
/ofbiz/branches/json-integration-refactoring:1634077-1635900
/ofbiz/branches/multitenant20100310:921280-927264
/ofbiz/branches/release13.07:1547657
-/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548
+/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704
Modified: ofbiz/branches/release14.12/applications/content/script/org/ofbiz/content/content/ContentServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/script/org/ofbiz/content/content/ContentServices.xml?rev=1702705&r1=1702704&r2=1702705&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/content/script/org/ofbiz/content/content/ContentServices.xml (original)
+++ ofbiz/branches/release14.12/applications/content/script/org/ofbiz/content/content/ContentServices.xml Sun Sep 13 08:33:03 2015
@@ -278,6 +278,14 @@
<set-pk-fields value-field="partyRolePK" map="parameters"/>
<find-by-primary-key entity-name="PartyRole" map="partyRolePK" value-field="partyRole"/>
<if-empty field="partyRole">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value entity-name="PartyRole" map="partyRolePK" value-field="partyRole"/>
<create-value value-field="partyRole"/>
</if-empty>
Modified: ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml?rev=1702705&r1=1702704&r2=1702705&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml (original)
+++ ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml Sun Sep 13 08:33:03 2015
@@ -282,6 +282,14 @@ under the License.
<set from-field="parameters.roleTypeId" field="lookupPKMap.roleTypeId"/>
<find-by-primary-key entity-name="PartyRole" map="lookupPKMap" value-field="partyRole"/>
<if-empty field="partyRole.partyId">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value value-field="partyRole" entity-name="PartyRole"/>
<set-pk-fields map="lookupPKMap" value-field="partyRole"/>
<create-value value-field="partyRole"/>
Modified: ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml?rev=1702705&r1=1702704&r2=1702705&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml (original)
+++ ofbiz/branches/release14.12/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml Sun Sep 13 08:33:03 2015
@@ -107,6 +107,14 @@ under the License.
<set from-field="parameters.roleTypeId" field="lookupPKMap.roleTypeId"/>
<find-by-primary-key entity-name="PartyRole" map="lookupPKMap" value-field="partyRole"/>
<if-empty field="partyRole.partyId">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value value-field="partyRole" entity-name="PartyRole"/>
<set-pk-fields map="lookupPKMap" value-field="partyRole"/>
<create-value value-field="partyRole"/>
Modified: ofbiz/branches/release14.12/applications/party/config/PartyErrorUiLabels.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/party/config/PartyErrorUiLabels.xml?rev=1702705&r1=1702704&r2=1702705&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/party/config/PartyErrorUiLabels.xml (original)
+++ ofbiz/branches/release14.12/applications/party/config/PartyErrorUiLabels.xml Sun Sep 13 08:33:03 2015
@@ -1159,6 +1159,16 @@
<value xml:lang="zh">å¿
é¡»çåæ° 'email' ä¸è½ä¸ºç©ºã</value>
<value xml:lang="zh_TW">å¿
è¦çåæ¸ 'email' ä¸è½çºç©º.</value>
</property>
+ <property key="PartyErrorCreatePermissionError">
+ <value xml:lang="ar">خطأ Ø£Ù
ÙÙ: Ùجب Ø£Ù ÙÙÙÙ ÙدÙ٠أذ٠PARTYMGR_CREATE Ø£Ù PARTYMGR_UPDATE Ùتشغ٠${resourceDescription}</value>
+ <value xml:lang="de">Berechtigungsfehler: Um ${resourceDescription} auszuführen muss man PARTYMGR_CREATE oder PARTYMGR_UPDATE Berechtigungen haben</value>
+ <value xml:lang="en">Security Error: to run ${resourceDescription} you must have the PARTYMGR_CREATE or PARTYMGR_UPDATE permission</value>
+ <value xml:lang="fr">Erreur de sécurité : pour effectuer ${resourceDescription} vous devez avoir l'autorisation PARTYMGR_CREATE ou PARTYMGR_UPDATE</value>
+ <value xml:lang="it">Errore di sicurezza: per eseguire ${resourceDescription} devi avere il permesso PARTYMGR_CREATE o PARTYMGR_UPDATE</value>
+ <value xml:lang="ja">ã»ãã¥ãªãã£ã¨ã©ã¼: ${resourceDescription} ãå®è¡ããã«ã¯ PARTYMGR_CREATE ã¾ã㯠PARTYMGR_UPDATE 権éãå¿
è¦ã§ã</value>
+ <value xml:lang="vi">Lá»i phân quyá»n: Äá» thá»±c thi ${resourceDescription} bạn cần có quyá»n PARTYMGR_CREATE hoặc PARTYMGR_UPDATE</value>
+ <value xml:lang="zh">ç³»ç»é误ï¼è¦è¿è¡${resourceDescription}ï¼ä½ å¿
é¡»æ PARTYMGR_CREATE æ PARTYMGR_UPDATE æé</value>
+ </property>
<property key="person.create.db_error">
<value xml:lang="de">Kann Informationen zur Person nicht hinzufügen (Schreibfehler): ${0}</value>
<value xml:lang="en">Could not add person info (write failure): ${0}</value>