svn commit: r1646938 - /ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java

Author: ashish
Date: Sat Dec 20 09:44:24 2014
New Revision: 1646938

URL: http://svn.apache.org/r1646938
Log:
Applied bug fix from trunk r1646934.
====================================================================================
Applied patch from jira issue - OFBIZ-4360 - Content is getting public to web search engine no privacy.
Thanks Deepak for the contribution. Thanks patrick LE BLAN for creating the issue.
====================================================================================

Modified:
    ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java

Modified: ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java?rev=1646938&r1=1646937&r2=1646938&view=diff
==============================================================================
--- ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java (original)
+++ ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java Sat Dec 20 09:44:24 2014
@@ -25,10 +25,12 @@ import java.sql.Timestamp;
 import java.text.ParseException;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
 
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.ofbiz.base.util.Debug;
 import org.ofbiz.base.util.GeneralException;
@@ -41,6 +43,10 @@ import org.ofbiz.content.data.DataResour
 import org.ofbiz.entity.Delegator;
 import org.ofbiz.entity.GenericEntityException;
 import org.ofbiz.entity.GenericValue;
+import org.ofbiz.entity.util.EntityUtilProperties;
+import org.ofbiz.service.GenericServiceException;
+import org.ofbiz.service.LocalDispatcher;
+import org.ofbiz.service.ServiceUtil;
 import org.ofbiz.webapp.view.AbstractViewHandler;
 import org.ofbiz.webapp.view.ViewHandlerException;
 import org.ofbiz.webapp.website.WebSiteWorker;
@@ -62,6 +68,9 @@ public class SimpleContentViewHandler ex
      */
     public void render(String name, String page, String info, String contentType, String encoding, HttpServletRequest request, HttpServletResponse response) throws ViewHandlerException {
 
+        LocalDispatcher dispatcher = (LocalDispatcher) request.getAttribute("dispatcher");
+        HttpSession session = request.getSession();
+        GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
         String contentId = request.getParameter("contentId");
         String rootContentId = request.getParameter("rootContentId");
         String mapKey = request.getParameter("mapKey");
@@ -141,13 +150,50 @@ public class SimpleContentViewHandler ex
                 if (UtilValidate.isEmpty(charset)) {
                     charset = "UTF-8";
                 }
-    
+
                 // setup content type
                 String contentType2 = UtilValidate.isNotEmpty(mimeTypeId) ? mimeTypeId + "; charset=" +charset : contentType;
                 String fileName = null;
                 if (!UtilValidate.isEmpty(dataResource.getString("dataResourceName"))) {
                     fileName = dataResource.getString("dataResourceName").replace(" ", "_"); // spaces in filenames can be a problem
                 }
+                
+                // see if data resource is public or not
+                String isPublic = dataResource.getString("isPublic");
+                if (UtilValidate.isEmpty(isPublic)) {
+                    isPublic = "N";
+                }
+                // get the permission service required for streaming data; default is always the genericContentPermission
+                String permissionService = EntityUtilProperties.getPropertyValue("content.properties", "stream.permission.service", "genericContentPermission", delegator);
+
+                // not public check security
+                if (!"Y".equalsIgnoreCase(isPublic)) {
+                    // do security check
+                    Map<String, ? extends Object> permSvcCtx = UtilMisc.toMap("userLogin", userLogin, "locale", locale, "mainAction", "VIEW", "contentId", contentId);
+                    Map<String, Object> permSvcResp;
+                    try {
+                        permSvcResp = dispatcher.runSync(permissionService, permSvcCtx);
+                    } catch (GenericServiceException e) {
+                        Debug.logError(e, module);
+                        request.setAttribute("_ERROR_MESSAGE_", e.getMessage());
+                        throw new ViewHandlerException(e.getMessage());
+                    }
+                    if (ServiceUtil.isError(permSvcResp)) {
+                        String errorMsg = ServiceUtil.getErrorMessage(permSvcResp);
+                        Debug.logError(errorMsg, module);
+                        request.setAttribute("_ERROR_MESSAGE_", errorMsg);
+                        throw new ViewHandlerException(errorMsg);
+                    }
+
+                    // no service errors; now check the actual response
+                    Boolean hasPermission = (Boolean) permSvcResp.get("hasPermission");
+                    if (!hasPermission.booleanValue()) {
+                        String errorMsg = (String) permSvcResp.get("failMessage");
+                        Debug.logError(errorMsg, module);
+                        request.setAttribute("_ERROR_MESSAGE_", errorMsg);
+                        throw new ViewHandlerException(errorMsg);
+                    }
+                }
                 UtilHttp.streamContentToBrowser(response, bais, byteBuffer.limit(), contentType2, fileName);
             }
         } catch (GenericEntityException e) {