You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2015/09/13 10:31:55 UTC
svn commit: r1702704 - in /ofbiz/trunk/applications:
content/script/org/ofbiz/content/content/ order/script/org/ofbiz/order/quote/
order/script/org/ofbiz/order/requirement/ party/config/
Author: jleroux
Date: Sun Sep 13 08:31:55 2015
New Revision: 1702704
URL: http://svn.apache.org/r1702704
Log:
A patch for "createQuoteRole, createContentRole, and createRequirementRole allow for adding Roles to a Party without permissions" https://issues.apache.org/jira/browse/OFBIZ-6605
Rerported by Forrest Rae:
The following functions automatically add a PartyRole entry if the PartyRole does not exist. This is possible even when the userLogin doesn't have PARTYMGR_UPDATE or PARTYMGR_CREATE.
createQuoteRole
createContentRole
createRequirementRole
Repo:
1) Remove PARTYMGR_UPDATE or PARTYMGR_CREATE permissions from the ORDERENTRY group.
2) Login as DemoRepStore
3) Create a Quote
4) Add a QuoteRole with partyId of DemoRepStore and Role of your choosing.
5) View DemoRepStore roles.
This is a security problem for anyone building component that leverages Role based security.
jleroux: simple solution, check before creating the new role the user has PARTYMGR_UPDATE or PARTYMGR_CREATE.
Modified:
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml
Modified: ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml (original)
+++ ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml Sun Sep 13 08:31:55 2015
@@ -278,6 +278,14 @@
<set-pk-fields value-field="partyRolePK" map="parameters"/>
<find-by-primary-key entity-name="PartyRole" map="partyRolePK" value-field="partyRole"/>
<if-empty field="partyRole">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value entity-name="PartyRole" map="partyRolePK" value-field="partyRole"/>
<create-value value-field="partyRole"/>
</if-empty>
Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml (original)
+++ ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml Sun Sep 13 08:31:55 2015
@@ -282,6 +282,14 @@ under the License.
<set from-field="parameters.roleTypeId" field="lookupPKMap.roleTypeId"/>
<find-by-primary-key entity-name="PartyRole" map="lookupPKMap" value-field="partyRole"/>
<if-empty field="partyRole.partyId">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value value-field="partyRole" entity-name="PartyRole"/>
<set-pk-fields map="lookupPKMap" value-field="partyRole"/>
<create-value value-field="partyRole"/>
Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml (original)
+++ ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml Sun Sep 13 08:31:55 2015
@@ -107,6 +107,14 @@ under the License.
<set from-field="parameters.roleTypeId" field="lookupPKMap.roleTypeId"/>
<find-by-primary-key entity-name="PartyRole" map="lookupPKMap" value-field="partyRole"/>
<if-empty field="partyRole.partyId">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value value-field="partyRole" entity-name="PartyRole"/>
<set-pk-fields map="lookupPKMap" value-field="partyRole"/>
<create-value value-field="partyRole"/>
Modified: ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml (original)
+++ ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml Sun Sep 13 08:31:55 2015
@@ -1171,6 +1171,16 @@
<value xml:lang="zh">å¿
é¡»çåæ° 'email' ä¸è½ä¸ºç©ºã</value>
<value xml:lang="zh-TW">å¿
è¦çåæ¸ 'email' ä¸è½çºç©º.</value>
</property>
+ <property key="PartyErrorCreatePermissionError">
+ <value xml:lang="ar">خطأ Ø£Ù
ÙÙ: Ùجب Ø£Ù ÙÙÙÙ ÙدÙ٠أذ٠PARTYMGR_CREATE Ø£Ù PARTYMGR_UPDATE Ùتشغ٠${resourceDescription}</value>
+ <value xml:lang="de">Berechtigungsfehler: Um ${resourceDescription} auszuführen muss man PARTYMGR_CREATE oder PARTYMGR_UPDATE Berechtigungen haben</value>
+ <value xml:lang="en">Security Error: to run ${resourceDescription} you must have the PARTYMGR_CREATE or PARTYMGR_UPDATE permission</value>
+ <value xml:lang="fr">Erreur de sécurité : pour effectuer ${resourceDescription} vous devez avoir l'autorisation PARTYMGR_CREATE ou PARTYMGR_UPDATE</value>
+ <value xml:lang="it">Errore di sicurezza: per eseguire ${resourceDescription} devi avere il permesso PARTYMGR_CREATE o PARTYMGR_UPDATE</value>
+ <value xml:lang="ja">ã»ãã¥ãªãã£ã¨ã©ã¼: ${resourceDescription} ãå®è¡ããã«ã¯ PARTYMGR_CREATE ã¾ã㯠PARTYMGR_UPDATE 権éãå¿
è¦ã§ã</value>
+ <value xml:lang="vi">Lá»i phân quyá»n: Äá» thá»±c thi ${resourceDescription} bạn cần có quyá»n PARTYMGR_CREATE hoặc PARTYMGR_UPDATE</value>
+ <value xml:lang="zh">ç³»ç»é误ï¼è¦è¿è¡${resourceDescription}ï¼ä½ å¿
é¡»æ PARTYMGR_CREATE æ PARTYMGR_UPDATE æé</value>
+ </property>
<property key="person.create.db_error">
<value xml:lang="de">Kann Informationen zur Person nicht hinzufügen (Schreibfehler): ${0}</value>
<value xml:lang="en">Could not add person info (write failure): ${0}</value>