OFBiz OFBiz - Dev

[jira] [Commented] (OFBIZ-6228) The role permission function fail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-6228) The role permission function fail

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-6228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14393875#comment-14393875 ]

Jiancai Hao commented on OFBIZ-6228:
------------------------------------

I noticed this code snipplet:
...
    private boolean evalRoleMember(GenericValue userLogin) {
        if (nameOrRole == null) {
            Debug.logWarning("Null role type name passed for evaluation", module);
            return false;
        }
        List<GenericValue> partyRoles = null;
        /** (jaz) THIS IS NOT SECURE AT ALL
        try {
            partyRoles = delegator.findByAnd("PartyRole", "roleTypeId", nameOrRole, "partyId", userLogin.get("partyId"));
        } catch (GenericEntityException e) {
            Debug.logError(e, "Unable to lookup PartyRole records", module);
        }
        **/

        if (UtilValidate.isNotEmpty(partyRoles)) {
            partyRoles = EntityUtil.filterByDate(partyRoles);
            if (UtilValidate.isNotEmpty(partyRoles)) {
                return true;
            }
        }
        return false;
    }
...

The roles searching are commented out by jaz, seems considering the security reason. So how can we fix this?

> The role permission function fail
> ---------------------------------
>
>                 Key: OFBIZ-6228
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6228
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jiancai Hao
>              Labels: permission, role
>
> When set a service by role permission like that:
> <service name="learningCallingServiceOneWithPermission" engine="java" location="org.ofbiz.learning.learning.LearningServices" invoke="callingServiceOne">
>      <description>First Service Called From The Controller</description>
>      <required-permissions join-type="OR">
>            <!-- <check-permission permission="LEARN_VIEW" /> -->
>            <check-role-member role-type="CUSTOMER"/>
>      </required-permissions>
>      <implements service="learningInterface" />
> </service>
> ...
> and then assign the partyId for example 10010 with the role of "CUSTOMER". Login using this party and call the service "learningCallingServiceOneWithPermission", the party don't get the permission.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Free forum by Nabble Edit this page