[ofbiz-framework] branch trunk updated (8ee522e -> ba548f6)
Locked
12
[ofbiz-framework] 26/26: Merge branch 'JacquesLeRoux-POC-for-CSRF-To
12
[ofbiz-framework] 20/26: Improved: Convert PartyPermissionServices.xml from mini lang to groovy (OFBIZ-11433)
 
|
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 4594fc4964e92a48295608ec445394bfa1d5c3f3 Author: Harutyun Farajyan <[hidden email]> AuthorDate: Tue Mar 17 16:44:35 2020 +0100 Improved: Convert PartyPermissionServices.xml from mini lang to groovy (OFBIZ-11433) Thanks to Harutyun Farajyan for providing the patch --- .../party/PartyPermissionServices.groovy | 280 ++++++++++++++++++++ .../minilang/party/PartyPermissionServices.xml | 284 --------------------- applications/party/servicedef/services.xml | 51 ++-- 3 files changed, 309 insertions(+), 306 deletions(-) diff --git a/applications/party/groovyScripts/party/PartyPermissionServices.groovy b/applications/party/groovyScripts/party/PartyPermissionServices.groovy new file mode 100644 index 0000000..c004ddd --- /dev/null +++ b/applications/party/groovyScripts/party/PartyPermissionServices.groovy @@ -0,0 +1,280 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import org.apache.ofbiz.base.util.UtilProperties +import org.apache.ofbiz.entity.GenericValue + +// ============== Basic Permission Checking ============= + +//Returns hasPermission=true if user has one of the base PARTYMGR CRUD+ADMIN permissions +/** + * Party Manager base permission logic + */ +def basePermissionCheck() { + parameters.primaryPermission = "PARTYMGR" + Map serviceResult = run service: "genericBasePermissionCheck", with: parameters + return serviceResult +} + +//Returns hasPermission=true if userLogin partyId equals partyId parameter +/** + * Party ID Permission Check + */ +def partyIdPermissionCheck(Map parameters) { + Map result = success() + Boolean hasPermission + String partyId = parameters.partyId + + if (partyId && userLogin.partyId && partyId == userLogin.partyId) { + hasPermission = true + } else { + String resourceDescription = parameters.resourceDescription + if (!resourceDescription) { + resourceDescription = UtilProperties.getPropertyValue("CommonUiLabels", "CommonPermissionThisOperation") + } + String failMessage = UtilProperties.getMessage("PartyUiLabels", + "PartyPermissionErrorPartyId", [resourceDescription: resourceDescription], parameters.locale) + hasPermission = false + result.failMessage = failMessage + } + result.hasPermission = hasPermission + return result +} + +//Returns hasPermission=true if userLogin party equals partyId parameter OR +// user has one of the base PARTYMGR CRUD+ADMIN permissions +/** + * Base Permission Plus Party ID Permission Check + */ +def basePlusPartyIdPermissionCheck() { + Map result = run service: "basePermissionCheck", with: parameters + if (!result.hasPermission) { + result = partyIdPermissionCheck(parameters) + } + return result +} + +// ============== Additional Permission Checking ============= + +//Returns hasPermission=true if userLogin partyId equals partyId parameter OR +// user has one of the base PARTYMGR or PARTYMGR_STS CRUD+ADMIN permissions +/** + * Party status permission logic + */ +def partyStatusPermissionCheck() { + Map result = success() + Boolean hasPermission = false + if (parameters.partyId && parameters.partyId == userLogin.partyId) { + hasPermission = true + result.hasPermission = hasPermission + } + if (!hasPermission) { + parameters.altPermission = "PARTYMGR_STS" + result = run service: "basePermissionCheck", with: parameters + } + return result +} + +//Returns hasPermission=true if userLogin partyId equals partyId parameter OR +// user has one of the base PARTYMGR or PARTYMGR_GRP CRUD+ADMIN permissions +/** + * Party group permission logic + */ +def partyGroupPermissionCheck() { + parameters.altPermission = "PARTYMGR_GRP" + Map result = run service: "partyStatusPermissionCheck", with: parameters + return result +} + +//Returns hasPermission=true if user has one of the base PARTYMGR or PARTYMGR_SRC CRUD+ADMIN permissions +/** + * Party datasource permission logic + */ +def partyDatasourcePermissionCheck() { + parameters.altPermission = "PARTYMGR_SRC" + Map result = run service: "basePermissionCheck", with: parameters + return result +} + +//Returns hasPermission=true if user has one of the base PARTYMGR or PARTYMGR_ROLE CRUD+ADMIN permissions +/** + * Party role permission logic + */ +def partyRolePermissionCheck() { + parameters.altPermission = "PARTYMGR_ROLE" + Map result = run service: "partyStatusPermissionCheck", with: parameters + return result +} + +//Returns hasPermission=true if user has one of the base PARTYMGR or PARTYMGR_REL CRUD+ADMIN permissions +/** + * Party relationship permission logic + */ +def partyRelationshipPermissionCheck() { + Map result = success() + if (!parameters.partyIdFrom) { + parameters.partyIdFrom = userLogin.partyId + result.hasPermission = true + } else { + parameters.altPermission = "PARTYMGR_REL" + result = run service: "basePermissionCheck", with: parameters + } + return result +} + +//Returns hasPermission=true if userLogin partyId equals partyId parameter OR +// user has one of the base PARTYMGR or PARTYMGR_PCM CRUD+ADMIN permissions +/** + * Party contact mech permission logic + */ +def partyContactMechPermissionCheck() { + Map result = success() + if (!parameters.partyId || userLogin.partyId == parameters.partyId) { + Boolean hasPermission = true + result.hasPermission = hasPermission + } else { + parameters.altPermission = "PARTYMGR_PCM" + result = run service: "basePermissionCheck", with: parameters + } + return result +} + +//Accept/Decline PartyInvitation Permission Checks +/** + * Accept and Decline PartyInvitation Permission Logic + */ +def accAndDecPartyInvitationPermissionCheck() { + Map result = success() + Boolean hasPermission = false + if (security.hasEntityPermission("PARTYMGR_UPDATE", "_UPDATE", parameters.userLogin)) { + hasPermission = true + result.hasPermission = hasPermission + } + if (!hasPermission) { + GenericValue partyInvitation = from("PartyInvitation").where(parameters).queryOne() + if (!partyInvitation?.partyId) { + if (!partyInvitation?.emailAddress) { + return error(UtilProperties.getMessage("PartyUiLabels", + "PartyInvitationNotValidError", parameters.locale)) + } else { + Map serviceResult = run service: "findPartyFromEmailAddress", with: [address: partyInvitation.emailAddress] + String partyId = serviceResult.partyId + if (partyId && partyId == userLogin.partyId) { + hasPermission = true + result.hasPermission = hasPermission + } else { + return error(UtilProperties.getMessage("PartyUiLabels", + "PartyInvitationNotValidError", parameters.locale)) + } + } + } else { + if (partyInvitation.partyId == userLogin.partyId) { + hasPermission = true + result.hasPermission = hasPermission + } + } + } + if (!hasPermission) { + String failMessage = UtilProperties.getMessage("PartyUiLabels", "PartyInvitationAccAndDecPermissionError", parameters.locale) + logWarning(failMessage) + result.failMessage = failMessage + result.hasPermission = hasPermission + } + return result +} + +//Cancel PartyInvitation Permission Checks +/** + * Cancel PartyInvitation Permission Logic + */ +def cancelPartyInvitationPermissionCheck() { + Map result = success() + Boolean hasPermission = false + if (security.hasEntityPermission("PARTYMGR_UPDATE", "_UPDATE", parameters.userLogin)) { + hasPermission = true + result.hasPermission = hasPermission + } + if (!hasPermission) { + GenericValue partyInvitation = from("PartyInvitation").where(parameters).queryOne() + if (partyInvitation?.partyIdFrom + && partyInvitation.partyIdFrom == userLogin.partyId) { + hasPermission = true + result.hasPermission = hasPermission + } + if (!hasPermission) { + if (!partyInvitation?.partyId) { + if (!partyInvitation?.emailAddress) { + String errorMessage = UtilProperties.getMessage("PartyUiLabels", "PartyInvitationNotValidError", parameters.locale) + logError(errorMessage) + return error(errorMessage) + } else { + Map findPartyCtx = [address: partyInvitation.emailAddress] + Map serviceResult = run service: "findPartyFromEmailAddress", with: findPartyCtx + String partyId = serviceResult.partyId + if (partyId) { + if (partyId == userLogin.partyId) { + hasPermission = true + result.hasPermission = hasPermission + } + } else { + String errorMessage = UtilProperties.getMessage("PartyUiLabels", "PartyInvitationNotValidError", parameters.locale) + logError(errorMessage) + return error(errorMessage) + } + } + } else { + if (partyInvitation?.partyId == userLogin.partyId) { + hasPermission = true + result.hasPermission = hasPermission + } + } + } + } + if (!hasPermission) { + String failMessage = UtilProperties.getMessage("PartyUiLabels", "PartyInvitationCancelPermissionError", parameters.locale) + logWarning(failMessage) + result.failMessage = failMessage + result.hasPermission = hasPermission + } + return result +} + +//Returns hasPermission=true if userLogin partyId equals partyIdFrom parameter OR +// partyIdTo parameter OR user has one of the base PARTYMGR or PARTYMGR_CME CRUD+ADMIN permissions +/** + * Communication Event permission logic + */ +def partyCommunicationEventPermissionCheck() { + Map result = success() + if (parameters.communicationEventTypeId == "EMAIL_COMMUNICATION" && parameters.mainAction == "CREATE") { + parameters.altPermission = "PARTYMGR_CME-EMAIL" + } else if (parameters.communicationEventTypeId == "COMMENT_NOTE" && parameters.mainAction == "CREATE") { + parameters.altPermission = "PARTYMGR_CME-NOTE" + } else if (parameters.partyIdFrom != userLogin.partyId + && parameters.partyIdTo != userLogin.partyId + && parameters.partyId != userLogin.partyId) { // <- update role + parameters.altPermission = "PARTYMGR_CME" + } else { + result.hasPermission = true + } + if (!result.hasPermission) { + result = run service: "basePermissionCheck", with: parameters + } + return result +} \ No newline at end of file diff --git a/applications/party/minilang/party/PartyPermissionServices.xml b/applications/party/minilang/party/PartyPermissionServices.xml deleted file mode 100644 index a11321d..0000000 --- a/applications/party/minilang/party/PartyPermissionServices.xml +++ /dev/null @@ -1,284 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" ?> -<!-- -Licensed to the Apache Software Foundation (ASF) under one -or more contributor license agreements. See the NOTICE file -distributed with this work for additional information -regarding copyright ownership. The ASF licenses this file -to you under the Apache License, Version 2.0 (the -"License"); you may not use this file except in compliance -with the License. You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. ---> - -<simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xmlns="http://ofbiz.apache.org/Simple-Method" xsi:schemaLocation="http://ofbiz.apache.org/Simple-Method http://ofbiz.apache.org/dtds/simple-methods.xsd"> - - <!-- ============== Basic Permission Checking ============= --> - - <!-- Returns hasPermission=true if user has one of the base PARTYMGR CRUD+ADMIN permissions --> - <simple-method method-name="basePermissionCheck" short-description="Party Manager base permission logic"> - <set field="primaryPermission" value="PARTYMGR"/> - <call-simple-method method-name="genericBasePermissionCheck" xml-resource="component://common/minilang/permission/CommonPermissionServices.xml"/> - </simple-method> - - <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter --> - <simple-method method-name="partyIdPermissionCheck" short-description="Party ID Permission Check"> - <if-empty field="partyId"> - <set field="partyId" from-field="parameters.partyId"/> - </if-empty> - <if> - <condition> - <and> - <not><if-empty field="partyId"/></not> - <not><if-empty field="userLogin.partyId"/></not> - <if-compare-field field="partyId" to-field="userLogin.partyId" operator="equals"/> - </and> - </condition> - <then> - <set field="hasPermission" type="Boolean" value="true"/> - </then> - <else> - <set field="resourceDescription" from-field="parameters.resourceDescription"/> - <if-empty field="resourceDescription"> - <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation" field="resourceDescription"/> - </if-empty> - <property-to-field resource="PartyUiLabels" property="PartyPermissionErrorPartyId" field="failMessage"/> - <set field="hasPermission" type="Boolean" value="false"/> - <field-to-result field="failMessage"/> - </else> - </if> - <field-to-result field="hasPermission"/> - </simple-method> - - <!-- Returns hasPermission=true if userLogin party equals partyId parameter OR - user has one of the base PARTYMGR CRUD+ADMIN permissions --> - <simple-method method-name="basePlusPartyIdPermissionCheck" short-description="Base Permission Plus Party ID Permission Check"> - <call-simple-method method-name="basePermissionCheck"/> - <if-compare field="hasPermission" operator="not-equals" value="true"> - <call-simple-method method-name="partyIdPermissionCheck"/> - </if-compare> - </simple-method> - - <!-- ============== Additional Permission Checking ============= --> - - <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter OR - user has one of the base PARTYMGR or PARTYMGR_STS CRUD+ADMIN permissions --> - <simple-method method-name="partyStatusPermissionCheck" short-description="Party status permission logic"> - <set field="hasPermission" type="Boolean" value="false"/> - <if-not-empty field="parameters.partyId"> - <if-compare-field field="parameters.partyId" to-field="userLogin.partyId" operator="equals"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </if-compare-field> - </if-not-empty> - <if-compare field="hasPermission" operator="not-equals" value="true"> - <set field="altPermission" value="PARTYMGR_STS"/> - <call-simple-method method-name="basePermissionCheck"/> - </if-compare> - </simple-method> - - <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter OR - user has one of the base PARTYMGR or PARTYMGR_GRP CRUD+ADMIN permissions --> - <simple-method method-name="partyGroupPermissionCheck" short-description="Party group permission logic"> - <set field="altPermission" value="PARTYMGR_GRP"/> - <call-simple-method method-name="basePlusPartyIdPermissionCheck"/> - </simple-method> - - <!-- Returns hasPermission=true if user has one of the base PARTYMGR or PARTYMGR_SRC CRUD+ADMIN permissions --> - <simple-method method-name="partyDatasourcePermissionCheck" short-description="Party datasource permission logic"> - <set field="altPermission" value="PARTYMGR_SRC"/> - <call-simple-method method-name="basePermissionCheck"/> - </simple-method> - - <!-- Returns hasPermission=true if user has one of the base PARTYMGR or PARTYMGR_ROLE CRUD+ADMIN permissions --> - <simple-method method-name="partyRolePermissionCheck" short-description="Party role permission logic"> - <set field="altPermission" value="PARTYMGR_ROLE"/> - <call-simple-method method-name="basePlusPartyIdPermissionCheck"/> - </simple-method> - - <!-- Returns hasPermission=true if user has one of the base PARTYMGR or PARTYMGR_REL CRUD+ADMIN permissions --> - <simple-method method-name="partyRelationshipPermissionCheck" short-description="Party relationship permission logic"> - <if-empty field="parameters.partyIdFrom"> - <set field="parameters.partyIdFrom" from-field="userLogin.partyId"/> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - <else> - <set field="altPermission" value="PARTYMGR_REL"/> - <call-simple-method method-name="basePermissionCheck"/> - </else> - </if-empty> - </simple-method> - - <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter OR - user has one of the base PARTYMGR or PARTYMGR_PCM CRUD+ADMIN permissions --> - <simple-method method-name="partyContactMechPermissionCheck" short-description="Party contact mech permission logic"> - <if-empty field="parameters.partyId"> - <set field="parameters.partyId" from-field="userLogin.partyId"/> - </if-empty> - <if-compare-field to-field="userLogin.partyId" field="parameters.partyId" operator="equals"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - - <else> - <set field="altPermission" value="PARTYMGR_PCM"/> - <call-simple-method method-name="basePermissionCheck"/> - </else> - </if-compare-field> - </simple-method> - - <!-- Accept/Decline/Cancel PartyInvitation Permission Checks --> - <simple-method method-name="accAndDecPartyInvitationPermissionCheck" short-description="Accept and Decline PartyInvitation Permission Logic"> - <set field="hasPermission" type="Boolean" value="false"/> - <if-has-permission permission="PARTYMGR_UPDATE" action="_UPDATE"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </if-has-permission> - <if-compare field="hasPermission" operator="not-equals" value="true"> - <entity-one entity-name="PartyInvitation" value-field="partyInvitation"/> - <if-empty field="partyInvitation.partyId"> - <if-empty field="partyInvitation.emailAddress"> - <add-error> - <fail-property resource="PartyUiLabels" property="PartyInvitationNotValidError"/> - </add-error> - <else> - <set field="findPartyCtx.address" from-field="partyInvitation.emailAddress"/> - <call-service service-name="findPartyFromEmailAddress" in-map-name="findPartyCtx"> - <result-to-field result-name="partyId" field="partyId"/> - </call-service> - <if-not-empty field="partyId"> - <if-compare-field field="partyId" to-field="userLogin.partyId" operator="equals"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </if-compare-field> - <else> - <add-error> - <fail-property resource="PartyUiLabels" property="PartyInvitationNotValidError"/> - </add-error> - </else> - </if-not-empty> - </else> - </if-empty> - <else> - <if-compare-field field="partyInvitation.partyId" to-field="userLogin.partyId" operator="equals"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </if-compare-field> - </else> - </if-empty> - <check-errors/> - </if-compare> - <if-compare field="hasPermission" operator="not-equals" value="true"> - <property-to-field property="PartyInvitationAccAndDecPermissionError" field="failMessage" resource="PartyUiLabels"/> - <field-to-result field="hasPermission"/> - <field-to-result field="failMessage"/> - </if-compare> - </simple-method> - <simple-method method-name="cancelPartyInvitationPermissionCheck" short-description="Cancel PartyInvitation Permission Logic"> - <set field="hasPermission" type="Boolean" value="false"/> - <if-has-permission permission="PARTYMGR_UPDATE" action="_UPDATE"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </if-has-permission> - <if-compare field="hasPermission" operator="not-equals" value="true"> - <entity-one entity-name="PartyInvitation" value-field="partyInvitation"/> - <if-not-empty field="partyInvitation.partyIdFrom"> - <if-compare-field field="partyInvitation.partyIdFrom" to-field="userLogin.partyId" operator="equals"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </if-compare-field> - </if-not-empty> - <if-compare field="hasPermission" operator="not-equals" value="true"> - <if-empty field="partyInvitation.partyId"> - <if-empty field="partyInvitation.emailAddress"> - <add-error> - <fail-property resource="PartyUiLabels" property="PartyInvitationNotValidError"/> - </add-error> - <else> - <set field="findPartyCtx.address" from-field="partyInvitation.emailAddress"/> - <call-service service-name="findPartyFromEmailAddress" in-map-name="findPartyCtx"> - <result-to-field result-name="partyId" field="partyId"/> - </call-service> - <if-not-empty field="partyId"> - <if-compare-field field="partyId" to-field="userLogin.partyId" operator="equals"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </if-compare-field> - <else> - <add-error> - <fail-property resource="PartyUiLabels" property="PartyInvitationNotValidError"/> - </add-error> - </else> - </if-not-empty> - </else> - </if-empty> - <else> - <if-compare-field field="partyInvitation.partyId" to-field="userLogin.partyId" operator="equals"> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </if-compare-field> - </else> - </if-empty> - <check-errors/> - </if-compare> - </if-compare> - <if-compare field="hasPermission" operator="not-equals" value="true"> - <property-to-field property="PartyInvitationCancelPermissionError" field="failMessage" resource="PartyUiLabels"/> - <field-to-result field="hasPermission"/> - <field-to-result field="failMessage"/> - </if-compare> - </simple-method> - - <!-- Returns hasPermission=true if userLogin partyId equals partyIdFrom parameter OR - partyIdTo parameter OR user has one of the base PARTYMGR or PARTYMGR_CME CRUD+ADMIN permissions --> - <simple-method method-name="partyCommunicationEventPermissionCheck" short-description="Communication Event permission logic"> - <if> - <condition> - <and> - <if-compare operator="equals" value="EMAIL_COMMUNICATION" field="parameters.communicationEventTypeId"/> - <if-compare operator="equals" value="CREATE" field="action"/> - </and> - </condition> - <then> - <set field="altPermission" value="PARTYMGR_CME-EMAIL"/> - <call-simple-method method-name="basePermissionCheck"/> - </then> - <else-if> - <condition> - <and> - <if-compare operator="equals" value="COMMENT_NOTE" field="parameters.communicationEventTypeId"/> - <if-compare operator="equals" value="CREATE" field="action"/> - </and> - </condition> - <then> - <set field="altPermission" value="PARTYMGR_CME-NOTE"/> - <call-simple-method method-name="basePermissionCheck"/> - </then> - </else-if> - <else-if> - <condition> - <and> - <if-compare-field field="parameters.partyIdFrom" to-field="userLogin.partyId" operator="not-equals"/> - <if-compare-field field="parameters.partyIdTo" to-field="userLogin.partyId" operator="not-equals"/> - <if-compare-field field="parameters.partyId" to-field="userLogin.partyId" operator="not-equals"/><!-- update role --> - </and> - </condition> - <then> - <set field="altPermission" value="PARTYMGR_CME"/> - <call-simple-method method-name="basePermissionCheck"/> - </then> - </else-if> - <else> - <set field="hasPermission" type="Boolean" value="true"/> - <field-to-result field="hasPermission"/> - </else> - </if> - </simple-method> -</simple-methods> diff --git a/applications/party/servicedef/services.xml b/applications/party/servicedef/services.xml index 00b7109..b26dcfc 100644 --- a/applications/party/servicedef/services.xml +++ b/applications/party/servicedef/services.xml @@ -1102,16 +1102,23 @@ under the License. </service> <!-- Permission checking services--> - <service name="partyBasePermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="basePermissionCheck"> + <service name="partyBasePermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="basePermissionCheck"> <description> Performs a basic Party Manager security check. The user must have one of the base PARTYMGR CRUD+ADMIN permissions. </description> <implements service="permissionInterface"/> </service> - <service name="partyIdPermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="basePlusPartyIdPermissionCheck"> + <service name="basePermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="basePermissionCheck"> + <description> + Performs a basic security check. The user must have the base PARTYMGR permission. + </description> + <implements service="permissionInterface"/> + </service> + <service name="partyIdPermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="basePlusPartyIdPermissionCheck"> <description> Performs a party ID security check. The userLogin partyId must equal the partyId parameter, or the logged-in user must have the correct permission @@ -1120,8 +1127,8 @@ under the License. <implements service="permissionInterface"/> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> </service> - <service name="partyStatusPermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="partyStatusPermissionCheck"> + <service name="partyStatusPermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="partyStatusPermissionCheck"> <description> Performs a party status security check. The userLogin partyId must equal the partyId parameter OR the user must have one of the base PARTYMGR or PARTYMGR_STS CRUD+ADMIN permissions. @@ -1129,8 +1136,8 @@ under the License. <implements service="permissionInterface"/> <attribute name="partyId" type="String" mode="IN" optional="true"/> </service> - <service name="partyGroupPermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="partyGroupPermissionCheck"> + <service name="partyGroupPermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="partyGroupPermissionCheck"> <description> Performs a party group security check. The userLogin partyId must equal the partyId parameter OR the user has one of the base PARTYMGR or PARTYMGR_GRP CRUD+ADMIN permissions. @@ -1138,16 +1145,16 @@ under the License. <implements service="permissionInterface"/> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> </service> - <service name="partyDatasourcePermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="partyDatasourcePermissionCheck"> + <service name="partyDatasourcePermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="partyDatasourcePermissionCheck"> <description> Performs a party datasource security check. The user must have one of the base PARTYMGR or PARTYMGR_SRC CRUD+ADMIN permissions. </description> <implements service="permissionInterface"/> </service> - <service name="partyRolePermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="partyRolePermissionCheck"> + <service name="partyRolePermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="partyRolePermissionCheck"> <description> Performs a party role security check. The user must have one of the base PARTYMGR or PARTYMGR_ROLE CRUD+ADMIN permissions. @@ -1155,8 +1162,8 @@ under the License. <implements service="permissionInterface"/> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> </service> - <service name="partyRelationshipPermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="partyRelationshipPermissionCheck"> + <service name="partyRelationshipPermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="partyRelationshipPermissionCheck"> <description> Performs a party relationship security check. The user must have one of the base PARTYMGR or PARTYMGR_REL CRUD+ADMIN permissions. @@ -1164,8 +1171,8 @@ under the License. <implements service="permissionInterface"/> <attribute name="partyIdFrom" type="String" mode="IN" optional="true"/> </service> - <service name="partyContactMechPermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="partyContactMechPermissionCheck"> + <service name="partyContactMechPermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="partyContactMechPermissionCheck"> <description> Performs a party contact mech security check. The userLogin partyId must equal the partyId parameter OR the user must have one of the base PARTYMGR or PARTYMGR_PCM CRUD+ADMIN permissions. @@ -1173,8 +1180,8 @@ under the License. <implements service="permissionInterface"/> <attribute name="partyId" type="String" mode="IN" optional="true"/> </service> - <service name="accAndDecPartyInvitationPermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="accAndDecPartyInvitationPermissionCheck"> + <service name="accAndDecPartyInvitationPermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="accAndDecPartyInvitationPermissionCheck"> <description> Performs accept and decline PartyInvitation security check. The userLogin partyId must equal the partyIdTo in PartyInvitation OR partyId fetched using emailAdress in PartyInvitation. @@ -1183,8 +1190,8 @@ under the License. <implements service="permissionInterface"/> <attribute name="partyInvitationId" type="String" mode="IN" optional="false"/> </service> - <service name="cancelPartyInvitationPermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="cancelPartyInvitationPermissionCheck"> + <service name="cancelPartyInvitationPermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="cancelPartyInvitationPermissionCheck"> <description> Performs cancel PartyInvitation security check. The userLogin partyId must equal the partyId/partyIdFrom in PartyInvitation OR partyId fetched using emailAdress in PartyInvitation. @@ -1193,8 +1200,8 @@ under the License. <implements service="permissionInterface"/> <attribute name="partyInvitationId" type="String" mode="IN" optional="false"/> </service> - <service name="partyCommunicationEventPermissionCheck" engine="simple" - location="component://party/minilang/party/PartyPermissionServices.xml" invoke="partyCommunicationEventPermissionCheck"> + <service name="partyCommunicationEventPermissionCheck" engine="groovy" + location="component://party/groovyScripts/party/PartyPermissionServices.groovy" invoke="partyCommunicationEventPermissionCheck"> <description>Party CommunicationEvents Permission Checking Logic</description> <implements service="permissionInterface"/> <attribute name="partyIdFrom" type="String" mode="IN" optional="true"/> |
[ofbiz-framework] 21/26: Fixed: correct path to ftpAddress services (OFBIZ-11359)
|
|
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 8fc5028be99aa0df662dabbb93d0c9cd36271e6a Author: Nicolas Malin <[hidden email]> AuthorDate: Fri Mar 27 11:41:03 2020 +0100 Fixed: correct path to ftpAddress services (OFBIZ-11359) After the minilang ContactMarchServices.xml to groovy, I forgot to change the path of existant ftpAddress services already present before. Thanks to Olivier Heintz for this alert --- applications/party/servicedef/services_contact.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/applications/party/servicedef/services_contact.xml b/applications/party/servicedef/services_contact.xml index 1fa4461..90fd990 100644 --- a/applications/party/servicedef/services_contact.xml +++ b/applications/party/servicedef/services_contact.xml @@ -91,14 +91,14 @@ under the License. <attribute name="emailAddress" type="String" mode="IN" optional="false"/> </service> <service name="createFtpAddress" default-entity-name="FtpAddress" engine="groovy" invoke="createFtpAddress" - location="component://party/groovyScripts/party/ContactMechServices.groovy"> + location="component://party/groovyScripts/contact/ContactMechServices.groovy"> <description>create FtpAddress</description> <permission-service service-name="partyBasePermissionCheck" main-action="CREATE"/> <auto-attributes mode="OUT" include="pk"/> <auto-attributes mode="IN" include="nonpk" optional="true"/> </service> <service name="updateFtpAddressWithHistory" default-entity-name="FtpAddress" engine="groovy" invoke="updateFtpAddressWithHistory" - location="component://party/groovyScripts/party/ContactMechServices.groovy"> + location="component://party/groovyScripts/contact/ContactMechServices.groovy"> <description>update FtpAddress</description> <permission-service service-name="partyBasePermissionCheck" main-action="UPDATE"/> <auto-attributes mode="IN" include="pk"/> |
[ofbiz-framework] 22/26: Fixed: correct path to ftpAddress services (OFBIZ-11359)
|
|
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 37f33f48ff56a1201181e51bc3a2c2fb373e2e43 Author: Nicolas Malin <[hidden email]> AuthorDate: Fri Mar 27 11:46:11 2020 +0100 Fixed: correct path to ftpAddress services (OFBIZ-11359) After the minilang ContactMarchServices.xml to groovy, I forgot to change the path of existant ftpAddress services already present before. Thanks to Olivier Heintz for this alert --- applications/party/servicedef/services.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/applications/party/servicedef/services.xml b/applications/party/servicedef/services.xml index b26dcfc..fc71f8e 100644 --- a/applications/party/servicedef/services.xml +++ b/applications/party/servicedef/services.xml @@ -505,7 +505,7 @@ under the License. <attribute name="partyIdTo" type="String" mode="IN" optional="false"/> </service> <service name="createPartyFtpAddress" engine="groovy" - location="component://party/groovyScripts/party/ContactMechServices.groovy" invoke="createPartyFtpAddress" auth="true"> + location="component://party/groovyScripts/contact/ContactMechServices.groovy" invoke="createPartyFtpAddress" auth="true"> <description>Create an Ftp Address associated to a party</description> <permission-service service-name="partyContactMechPermissionCheck" main-action="CREATE"/> <auto-attributes entity-name="ContactMech" include="nonpk" mode="IN" optional="true"/> @@ -515,7 +515,7 @@ under the License. <attribute name="contactMechId" type="String" mode="INOUT" optional="true"/> </service> <service name="updatePartyFtpAddress" engine="groovy" - location="component://party/groovyScripts/party/ContactMechServices.groovy" invoke="updatePartyFtpAddress" auth="true"> + location="component://party/groovyScripts/contact/ContactMechServices.groovy" invoke="updatePartyFtpAddress" auth="true"> <description>Update an Ftp Address associated to a party</description> <permission-service service-name="partyContactMechPermissionCheck" main-action="UPDATE"/> <auto-attributes entity-name="PartyContactMech" mode="IN" optional="true"/> |
[ofbiz-framework] 23/26: Merges OFBiz trunk
|
|
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 5bc579ab4a6679e5840e7b9aeb377859441dd02e Author: Jacques Le Roux <[hidden email]> AuthorDate: Thu Feb 27 14:36:26 2020 +0100 Merges OFBiz trunk |
[ofbiz-framework] 24/26: Improved: Implemented: Documented: Completed: Reverted: Fixed:
|
|
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 768353a09339eb431c89d50ee96568a998352d4b Author: Jacques Le Roux <[hidden email]> AuthorDate: Sat Apr 4 15:25:16 2020 +0200 Improved: Implemented: Documented: Completed: Reverted: Fixed: (OFBIZ-) Explanation Thanks: --- .../security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java index eaf5635..9d400b8 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java @@ -139,7 +139,7 @@ public class CsrfUtil { // e.g. "/viewprofile?partyId=Company" to "/viewprofile" requestUri = requestUri.substring(0, requestUri.indexOf("?")); } - String controlServletPart = "/control/"; + String controlServletPart = "/control/"; // TODO remove with OFBIZ-11229 if (requestUri.contains(controlServletPart)) { // e.g. "/partymgr/control/viewprofile" to "viewprofile" requestUri = requestUri.substring(requestUri.indexOf(controlServletPart) + controlServletPart.length()); |
[ofbiz-framework] 25/26: Merge branch 'trunk' into POC-for-CSRF-Token-OFBIZ-11306
|
|
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 645d419574f24ab7e9218ec9ad7373fb98601b06 Merge: 768353a 8ee522e Author: Jacques Le Roux <[hidden email]> AuthorDate: Sat Apr 4 17:52:06 2020 +0200 Merge branch 'trunk' into POC-for-CSRF-Token-OFBIZ-11306 applications/datamodel/DATAMODEL_CHANGES.md | 15 +++++++++++++++ framework/security/config/security.properties | 3 +-- .../template/includes/AjaxAutocompleteOptions.ftl | 2 +- 3 files changed, 17 insertions(+), 3 deletions(-) diff --cc framework/security/config/security.properties index 525b247,b65cc24..e019061 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@@ -155,22 -155,3 +155,21 @@@ security.token.key=security.token.ke # -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed SameSiteCookieAttribute= - +# -- The cache size for the Tokens Maps that stores the CSRF tokens. +# -- RemoveEldestEntry is used when it's get above csrf.cache.size +# -- Default is 5000 +# -- TODO: separate tokenMap from partyTokenMap +csrf.cache.size= + +# -- Parameter name for CSRF token. Default is "csrf" if not specified +csrf.tokenName.nonAjax= + +# -- The csrf.entity.request.limit is used to show how to avoid cluttering the Tokens Maps cache with URIs starting with "entity/" +# -- It can be useful with large Database contents, ie with a large numbers of tuples, like "entity/edit/Agreement/10000, etc. +# -- The same principle can be extended to other cases similar to "entity/" URIs (harcoded or using similar properties). +# -- Default is 3 +csrf.entity.request.limit= + +# csrf defense strategy. Default is org.apache.ofbiz.security.CsrfDefenseStrategy if not specified. +# use org.apache.ofbiz.security.NoCsrfDefenseStrategy to disable CSRF check totally. - csrf.defense.strategy= ++csrf.defense.strategy= |
[ofbiz-framework] 26/26: Merge branch 'JacquesLeRoux-POC-for-CSRF-To
|
|
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit ba548f626ece855d1fb533a4207e262d76cf0430 Merge: 8ee522e 645d419 Author: Jacques Le Roux <[hidden email]> AuthorDate: Sat Apr 4 17:58:07 2020 +0200 Merge branch 'JacquesLeRoux-POC-for-CSRF-Token-OFBIZ-11306' into trunk Because of GitHub message on PR56: This branch cannot be rebased due to conflicts .../humanres/template/category/CategoryTree.ftl | 16 +- .../category/ftl/CatalogAltUrlSeoTransform.java | 8 +- .../product/category/ftl/UrlRegexpTransform.java | 13 +- .../product/template/category/CategoryTree.ftl | 2 +- .../java/org/apache/ofbiz/common/CommonEvents.java | 3 +- .../common/webcommon/WEB-INF/common-controller.xml | 4 +- framework/security/config/security.properties | 22 +- .../apache/ofbiz/security/CsrfDefenseStrategy.java | 93 ++++++ .../java/org/apache/ofbiz/security/CsrfUtil.java | 358 +++++++++++++++++++++ .../ofbiz/security/ICsrfDefenseStrategy.java | 55 ++++ .../ofbiz/security/NoCsrfDefenseStrategy.java | 50 +++ .../org/apache/ofbiz/security/CsrfUtilTests.java | 264 +++++++++++++++ framework/webapp/dtd/site-conf.xsd | 14 + .../ofbiz/webapp/control/ConfigXMLReader.java | 3 + .../ofbiz/webapp/control/ControlEventListener.java | 3 + .../ofbiz/webapp/control/RequestHandler.java | 33 +- .../ofbiz/webapp/ftl/CsrfTokenAjaxTransform.java | 75 +++++ .../webapp/ftl/CsrfTokenPairNonAjaxTransform.java | 76 +++++ .../ofbiz/webapp/freemarkerTransforms.properties | 2 + .../webtools/groovyScripts/entity/CheckDb.groovy | 7 +- .../webtools/groovyScripts/entity/EntityRef.groovy | 6 + framework/webtools/template/entity/CheckDb.ftl | 28 +- .../webtools/template/entity/EntityRefList.ftl | 9 +- framework/webtools/template/entity/ViewGeneric.ftl | 5 +- .../webapp/webtools/WEB-INF/controller.xml | 2 +- .../java/org/apache/ofbiz/widget/WidgetWorker.java | 14 + .../widget/renderer/macro/MacroFormRenderer.java | 14 +- themes/bluelight/template/Header.ftl | 6 +- .../common-theme/template/includes/ListLocales.ftl | 2 +- .../template/macro/CsvFormMacroLibrary.ftl | 2 +- .../template/macro/FoFormMacroLibrary.ftl | 2 +- .../template/macro/HtmlFormMacroLibrary.ftl | 8 +- .../template/macro/TextFormMacroLibrary.ftl | 2 +- .../template/macro/XlsFormMacroLibrary.ftl | 2 +- .../template/macro/XmlFormMacroLibrary.ftl | 2 +- .../webapp/common/js/util/OfbizUtil.js | 12 +- themes/flatgrey/template/Header.ftl | 6 +- themes/rainbowstone/template/includes/Header.ftl | 4 + .../rainbowstone/template/includes/TopAppBar.ftl | 2 +- themes/tomahawk/template/AppBarClose.ftl | 2 +- themes/tomahawk/template/Header.ftl | 4 + 41 files changed, 1176 insertions(+), 59 deletions(-) |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |