You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jo...@apache.org on 2007/02/20 22:54:43 UTC

svn commit: r509769 - /ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java

Author: jonesde
Date: Tue Feb 20 13:54:43 2007
New Revision: 509769

URL: http://svn.apache.org/viewvc?view=rev&rev=509769
Log:
Plugged a rather dangerous security hole: these entity import/export services only required auth to run and had no permission checking, they now require the ENTITY_MAINT permission

Modified:
    ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java

Modified: ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java?view=diff&rev=509769&r1=509768&r2=509769
==============================================================================
--- ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java (original)
+++ ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java Tue Feb 20 13:54:43 2007
@@ -48,6 +48,7 @@
 import org.ofbiz.base.util.Debug;
 import org.ofbiz.base.util.StringUtil;
 import org.ofbiz.base.util.UtilMisc;
+import org.ofbiz.base.util.UtilProperties;
 import org.ofbiz.base.util.UtilURL;
 import org.ofbiz.base.util.UtilValidate;
 import org.ofbiz.base.util.UtilDateTime;
@@ -60,6 +61,7 @@
 import org.ofbiz.entity.model.ModelReader;
 import org.ofbiz.entity.model.ModelEntity;
 import org.ofbiz.entity.model.ModelViewEntity;
+import org.ofbiz.security.Security;
 import org.ofbiz.service.DispatchContext;
 import org.ofbiz.service.LocalDispatcher;
 import org.ofbiz.service.ServiceUtil;
@@ -78,8 +80,13 @@
     public static final String module = WebToolsServices.class.getName();
 
     public static Map entityImport(DispatchContext dctx, Map context) {
-        LocalDispatcher dispatcher = dctx.getDispatcher();
         GenericValue userLogin = (GenericValue) context.get("userLogin");
+        Security security = dctx.getSecurity();
+        if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+            return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+        }
+
+        LocalDispatcher dispatcher = dctx.getDispatcher();
 
         List messages = new ArrayList();
 
@@ -196,8 +203,13 @@
     }
 
     public static Map entityImportDir(DispatchContext dctx, Map context) {
-        LocalDispatcher dispatcher = dctx.getDispatcher();
         GenericValue userLogin = (GenericValue) context.get("userLogin");
+        Security security = dctx.getSecurity();
+        if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+            return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+        }
+
+        LocalDispatcher dispatcher = dctx.getDispatcher();
 
         List messages = new ArrayList();
 
@@ -299,6 +311,12 @@
     }
 
     public static Map entityImportReaders(DispatchContext dctx, Map context) {
+        GenericValue userLogin = (GenericValue) context.get("userLogin");
+        Security security = dctx.getSecurity();
+        if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+            return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+        }
+
         String readers = (String) context.get("readers");
         String overrideDelegator = (String) context.get("overrideDelegator");
         String overrideGroup = (String) context.get("overrideGroup");
@@ -394,6 +412,12 @@
     }
     
     public static Map parseEntityXmlFile(DispatchContext dctx, Map context) {
+        GenericValue userLogin = (GenericValue) context.get("userLogin");
+        Security security = dctx.getSecurity();
+        if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+            return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+        }
+
         GenericDelegator delegator = dctx.getDelegator();
 
         URL url = (URL)context.get("url");
@@ -430,6 +454,12 @@
     }
 
     public static Map entityExportAll(DispatchContext dctx, Map context) {
+        GenericValue userLogin = (GenericValue) context.get("userLogin");
+        Security security = dctx.getSecurity();
+        if (!security.hasPermission("ENTITY_MAINT", userLogin)) {
+            return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale")));
+        }
+
         GenericDelegator delegator = dctx.getDelegator();
 
         String outpath = (String)context.get("outpath"); // mandatory