You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jo...@apache.org on 2007/02/20 22:54:43 UTC
svn commit: r509769 -
/ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java
Author: jonesde
Date: Tue Feb 20 13:54:43 2007
New Revision: 509769
URL: http://svn.apache.org/viewvc?view=rev&rev=509769
Log:
Plugged a rather dangerous security hole: these entity import/export services only required auth to run and had no permission checking, they now require the ENTITY_MAINT permission
Modified:
ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java
Modified: ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java?view=diff&rev=509769&r1=509768&r2=509769
==============================================================================
--- ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java (original)
+++ ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java Tue Feb 20 13:54:43 2007
@@ -48,6 +48,7 @@
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.StringUtil;
import org.ofbiz.base.util.UtilMisc;
+import org.ofbiz.base.util.UtilProperties;
import org.ofbiz.base.util.UtilURL;
import org.ofbiz.base.util.UtilValidate;
import org.ofbiz.base.util.UtilDateTime;
@@ -60,6 +61,7 @@
import org.ofbiz.entity.model.ModelReader;
import org.ofbiz.entity.model.ModelEntity;
import org.ofbiz.entity.model.ModelViewEntity;
+import org.ofbiz.security.Security;
import org.ofbiz.service.DispatchContext;
import org.ofbiz.service.LocalDispatcher;
import org.ofbiz.service.ServiceUtil;
@@ -78,8 +80,13 @@
public static final String module = WebToolsServices.class.getName();
public static Map entityImport(DispatchContext dctx, Map context) {
- LocalDispatcher dispatcher = dctx.getDispatcher();
GenericValue userLogin = (GenericValue) context.get("userLogin");
+ Security security = dctx.getSecurity();
+ if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+ return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+ }
+
+ LocalDispatcher dispatcher = dctx.getDispatcher();
List messages = new ArrayList();
@@ -196,8 +203,13 @@
}
public static Map entityImportDir(DispatchContext dctx, Map context) {
- LocalDispatcher dispatcher = dctx.getDispatcher();
GenericValue userLogin = (GenericValue) context.get("userLogin");
+ Security security = dctx.getSecurity();
+ if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+ return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+ }
+
+ LocalDispatcher dispatcher = dctx.getDispatcher();
List messages = new ArrayList();
@@ -299,6 +311,12 @@
}
public static Map entityImportReaders(DispatchContext dctx, Map context) {
+ GenericValue userLogin = (GenericValue) context.get("userLogin");
+ Security security = dctx.getSecurity();
+ if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+ return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+ }
+
String readers = (String) context.get("readers");
String overrideDelegator = (String) context.get("overrideDelegator");
String overrideGroup = (String) context.get("overrideGroup");
@@ -394,6 +412,12 @@
}
public static Map parseEntityXmlFile(DispatchContext dctx, Map context) {
+ GenericValue userLogin = (GenericValue) context.get("userLogin");
+ Security security = dctx.getSecurity();
+ if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+ return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+ }
+
GenericDelegator delegator = dctx.getDelegator();
URL url = (URL)context.get("url");
@@ -430,6 +454,12 @@
}
public static Map entityExportAll(DispatchContext dctx, Map context) {
+ GenericValue userLogin = (GenericValue) context.get("userLogin");
+ Security security = dctx.getSecurity();
+ if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+ return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+ }
+
GenericDelegator delegator = dctx.getDelegator();
String outpath = (String)context.get("outpath"); // mandatory