You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jiancai Hao (JIRA)" <ji...@apache.org> on 2015/04/03 03:17:58 UTC

[jira] [Commented] (OFBIZ-6228) The role permission function fail

    [ https://issues.apache.org/jira/browse/OFBIZ-6228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14393875#comment-14393875 ] 

Jiancai Hao commented on OFBIZ-6228:
------------------------------------

I noticed this code snipplet:
...
    private boolean evalRoleMember(GenericValue userLogin) {
        if (nameOrRole == null) {
            Debug.logWarning("Null role type name passed for evaluation", module);
            return false;
        }
        List<GenericValue> partyRoles = null;
        /** (jaz) THIS IS NOT SECURE AT ALL
        try {
            partyRoles = delegator.findByAnd("PartyRole", "roleTypeId", nameOrRole, "partyId", userLogin.get("partyId"));
        } catch (GenericEntityException e) {
            Debug.logError(e, "Unable to lookup PartyRole records", module);
        }
        **/

        if (UtilValidate.isNotEmpty(partyRoles)) {
            partyRoles = EntityUtil.filterByDate(partyRoles);
            if (UtilValidate.isNotEmpty(partyRoles)) {
                return true;
            }
        }
        return false;
    }
...

The roles searching are commented out by jaz, seems considering the security reason. So how can we fix this?

> The role permission function fail
> ---------------------------------
>
>                 Key: OFBIZ-6228
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6228
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jiancai Hao
>              Labels: permission, role
>
> When set a service by role permission like that:
> 	<service name="learningCallingServiceOneWithPermission" engine="java" location="org.ofbiz.learning.learning.LearningServices" invoke="callingServiceOne">
> 	      <description>First Service Called From The Controller</description>
> 	      <required-permissions join-type="OR">
> 	            <!-- <check-permission permission="LEARN_VIEW" /> -->
> 	            <check-role-member role-type="CUSTOMER"/>
> 	      </required-permissions>
> 	      <implements service="learningInterface" />
> 	</service>
> ...
> and then assign the partyId for example 10010 with the role of "CUSTOMER". Login using this party and call the service "learningCallingServiceOneWithPermission", the party don't get the permission.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)