svn commit: r1702704 - in /ofbiz/trunk/applications: content/script/org/ofbiz/content/content/ order/script/org/ofbiz/order/quote/ order/script/org/ofbiz/order/requirement/ party/config/

Author: jleroux
Date: Sun Sep 13 08:31:55 2015
New Revision: 1702704

URL: http://svn.apache.org/r1702704
Log:
A patch for "createQuoteRole, createContentRole, and createRequirementRole allow for adding Roles to a Party without permissions" https://issues.apache.org/jira/browse/OFBIZ-6605

Rerported by Forrest Rae:
The following functions automatically add a PartyRole entry if the PartyRole does not exist.  This is possible even when the userLogin doesn't have PARTYMGR_UPDATE or PARTYMGR_CREATE.

createQuoteRole
createContentRole
createRequirementRole

Repo:
1) Remove PARTYMGR_UPDATE or PARTYMGR_CREATE permissions from the ORDERENTRY group.
2) Login as DemoRepStore
3) Create a Quote
4) Add a QuoteRole with partyId of DemoRepStore and Role of your choosing.
5) View DemoRepStore roles.

This is a security problem for anyone building component that leverages Role based security.

jleroux: simple solution, check before creating the new role the user has  PARTYMGR_UPDATE or PARTYMGR_CREATE.

Modified:
    ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
    ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
    ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
    ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml

Modified: ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml (original)
+++ ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml Sun Sep 13 08:31:55 2015
@@ -278,6 +278,14 @@
         <set-pk-fields value-field="partyRolePK" map="parameters"/>
         <find-by-primary-key entity-name="PartyRole" map="partyRolePK" value-field="partyRole"/>
         <if-empty field="partyRole">
+            <check-permission permission="PARTYMGR" action="_CREATE">
+                <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+            </check-permission>
+            <check-errors/>
+            <check-permission permission="PARTYMGR" action="_UPDATE">
+                <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+            </check-permission>
+            <check-errors/>
             <make-value entity-name="PartyRole" map="partyRolePK" value-field="partyRole"/>
             <create-value value-field="partyRole"/>
         </if-empty>

Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml (original)
+++ ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml Sun Sep 13 08:31:55 2015
@@ -282,6 +282,14 @@ under the License.
         <set from-field="parameters.roleTypeId" field="lookupPKMap.roleTypeId"/>
         <find-by-primary-key entity-name="PartyRole" map="lookupPKMap" value-field="partyRole"/>
         <if-empty field="partyRole.partyId">
+            <check-permission permission="PARTYMGR" action="_CREATE">
+                <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+            </check-permission>
+            <check-errors/>
+            <check-permission permission="PARTYMGR" action="_UPDATE">
+                <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+            </check-permission>
+            <check-errors/>
             <make-value value-field="partyRole" entity-name="PartyRole"/>
             <set-pk-fields map="lookupPKMap" value-field="partyRole"/>
             <create-value value-field="partyRole"/>

Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml (original)
+++ ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml Sun Sep 13 08:31:55 2015
@@ -107,6 +107,14 @@ under the License.
         <set from-field="parameters.roleTypeId" field="lookupPKMap.roleTypeId"/>
         <find-by-primary-key entity-name="PartyRole" map="lookupPKMap" value-field="partyRole"/>
         <if-empty field="partyRole.partyId">
+            <check-permission permission="PARTYMGR" action="_CREATE">
+                <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+            </check-permission>
+            <check-errors/>
+            <check-permission permission="PARTYMGR" action="_UPDATE">
+                <fail-property resource="OrderErrorUiLabels" property="OrderErrorCreatePermissionError"/>
+            </check-permission>
+            <check-errors/>
             <make-value value-field="partyRole" entity-name="PartyRole"/>
             <set-pk-fields map="lookupPKMap" value-field="partyRole"/>
             <create-value value-field="partyRole"/>

Modified: ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml (original)
+++ ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml Sun Sep 13 08:31:55 2015
@@ -1171,6 +1171,16 @@
         <value xml:lang="zh">必须的参数 'email' 不能为空。</value>
         <value xml:lang="zh-TW">必要的參數 'email' 不能為空.</value>
     </property>
+    <property key="PartyErrorCreatePermissionError">
+        <value xml:lang="ar">خطأ أمني: يجب أن يكون لديك أذن PARTYMGR_CREATE أو PARTYMGR_UPDATE لتشغل ${resourceDescription}</value>
+        <value xml:lang="de">Berechtigungsfehler: Um ${resourceDescription} auszuführen muss man PARTYMGR_CREATE oder PARTYMGR_UPDATE Berechtigungen haben</value>
+        <value xml:lang="en">Security Error: to run ${resourceDescription} you must have the PARTYMGR_CREATE or PARTYMGR_UPDATE permission</value>
+        <value xml:lang="fr">Erreur de sécurité : pour effectuer ${resourceDescription} vous devez avoir l'autorisation PARTYMGR_CREATE ou PARTYMGR_UPDATE</value>
+        <value xml:lang="it">Errore di sicurezza: per eseguire ${resourceDescription} devi avere il permesso PARTYMGR_CREATE o PARTYMGR_UPDATE</value>
+        <value xml:lang="ja">セキュリティエラー: ${resourceDescription} を実行するには PARTYMGR_CREATE または PARTYMGR_UPDATE 権限が必要です</value>
+        <value xml:lang="vi">Lỗi phân quyền: để thá»±c thi ${resourceDescription} bạn cần có quyền PARTYMGR_CREATE hoặc PARTYMGR_UPDATE</value>
+        <value xml:lang="zh">系统错误：要运行${resourceDescription}，你必须有 PARTYMGR_CREATE 或 PARTYMGR_UPDATE 权限</value>
+    </property>
     <property key="person.create.db_error">
         <value xml:lang="de">Kann Informationen zur Person nicht hinzufügen (Schreibfehler): ${0}</value>
         <value xml:lang="en">Could not add person info (write failure): ${0}</value>