You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jiancai Hao (JIRA)" <ji...@apache.org> on 2015/04/03 03:17:58 UTC
[jira] [Commented] (OFBIZ-6228) The role permission function fail
[ https://issues.apache.org/jira/browse/OFBIZ-6228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14393875#comment-14393875 ]
Jiancai Hao commented on OFBIZ-6228:
------------------------------------
I noticed this code snipplet:
...
private boolean evalRoleMember(GenericValue userLogin) {
if (nameOrRole == null) {
Debug.logWarning("Null role type name passed for evaluation", module);
return false;
}
List<GenericValue> partyRoles = null;
/** (jaz) THIS IS NOT SECURE AT ALL
try {
partyRoles = delegator.findByAnd("PartyRole", "roleTypeId", nameOrRole, "partyId", userLogin.get("partyId"));
} catch (GenericEntityException e) {
Debug.logError(e, "Unable to lookup PartyRole records", module);
}
**/
if (UtilValidate.isNotEmpty(partyRoles)) {
partyRoles = EntityUtil.filterByDate(partyRoles);
if (UtilValidate.isNotEmpty(partyRoles)) {
return true;
}
}
return false;
}
...
The roles searching are commented out by jaz, seems considering the security reason. So how can we fix this?
> The role permission function fail
> ---------------------------------
>
> Key: OFBIZ-6228
> URL: https://issues.apache.org/jira/browse/OFBIZ-6228
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Jiancai Hao
> Labels: permission, role
>
> When set a service by role permission like that:
> <service name="learningCallingServiceOneWithPermission" engine="java" location="org.ofbiz.learning.learning.LearningServices" invoke="callingServiceOne">
> <description>First Service Called From The Controller</description>
> <required-permissions join-type="OR">
> <!-- <check-permission permission="LEARN_VIEW" /> -->
> <check-role-member role-type="CUSTOMER"/>
> </required-permissions>
> <implements service="learningInterface" />
> </service>
> ...
> and then assign the partyId for example 10010 with the role of "CUSTOMER". Login using this party and call the service "learningCallingServiceOneWithPermission", the party don't get the permission.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)