[jira] Created: (OFBIZ-3160) Possible NPE in security check

Possible NPE in security check
------------------------------

                 Key: OFBIZ-3160
                 URL: https://issues.apache.org/jira/browse/OFBIZ-3160
             Project: OFBiz
          Issue Type: Bug
          Components: framework, order
    Affects Versions: Release Branch 9.04
            Reporter: Wickersheimer Jeremy
            Priority: Minor
             Fix For: Release Branch 9.04


I ran into two cases of NPE during the permission check for the order email notification when user login is null.

First in OFBizSecurity, hasEntityPermission(String entity, String action, HttpSession session) and hasEntityPermission(String entity, String action, GenericValue userLogin) have the same signature in that case resulting in the first method being called rom the groovy script.

A very simple fix is to add a check on the session object:

    public boolean hasEntityPermission(String entity, String action, HttpSession session) {
        if (session == null) return false;

The second one is in OrderStatus.groovy, again a very simple fix is to check the user login again:

    } else if (userLogin) {
            // regardless of permission, allow if this is the supplier
            currentUserSupplierOrderRoles = orderHeader.getRelated("OrderRole", [partyId : userLogin.partyId, roleTypeId : "SUPPLIER_AGENT"], null);

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wickersheimer Jeremy updated OFBIZ-3160:
----------------------------------------

    Description:
I ran into a NPE in one of our groovy script, it is due to a small issue in OFBizSecurity, hasEntityPermission(String entity, String action, HttpSession session) and hasEntityPermission(String entity, String action, GenericValue userLogin) have the same signature in that case resulting in the first method being called rom the groovy script.

A very simple fix is to add a check on the session object:

    public boolean hasEntityPermission(String entity, String action, HttpSession session) {
        if (session == null) return false;

(edit: remove second part, actually that is something we modified)

  was:
I ran into two cases of NPE during the permission check for the order email notification when user login is null.

First in OFBizSecurity, hasEntityPermission(String entity, String action, HttpSession session) and hasEntityPermission(String entity, String action, GenericValue userLogin) have the same signature in that case resulting in the first method being called rom the groovy script.

A very simple fix is to add a check on the session object:

    public boolean hasEntityPermission(String entity, String action, HttpSession session) {
        if (session == null) return false;

The second one is in OrderStatus.groovy, again a very simple fix is to check the user login again:

    } else if (userLogin) {
            // regardless of permission, allow if this is the supplier
            currentUserSupplierOrderRoles = orderHeader.getRelated("OrderRole", [partyId : userLogin.partyId, roleTypeId : "SUPPLIER_AGENT"], null);


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-3160.
----------------------------------

       Resolution: Fixed
    Fix Version/s: SVN trunk
         Assignee: Jacques Le Roux

Thanks Jeremy,

You fix is implemented in trunk at r835161, R9.04 at r835162

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.