Author: jonesde
Date: Tue Feb 20 13:54:43 2007 New Revision: 509769 URL: http://svn.apache.org/viewvc?view=rev&rev=509769 Log: Plugged a rather dangerous security hole: these entity import/export services only required auth to run and had no permission checking, they now require the ENTITY_MAINT permission Modified: ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java Modified: ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java?view=diff&rev=509769&r1=509768&r2=509769 ============================================================================== --- ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java (original) +++ ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/WebToolsServices.java Tue Feb 20 13:54:43 2007 @@ -48,6 +48,7 @@ import org.ofbiz.base.util.Debug; import org.ofbiz.base.util.StringUtil; import org.ofbiz.base.util.UtilMisc; +import org.ofbiz.base.util.UtilProperties; import org.ofbiz.base.util.UtilURL; import org.ofbiz.base.util.UtilValidate; import org.ofbiz.base.util.UtilDateTime; @@ -60,6 +61,7 @@ import org.ofbiz.entity.model.ModelReader; import org.ofbiz.entity.model.ModelEntity; import org.ofbiz.entity.model.ModelViewEntity; +import org.ofbiz.security.Security; import org.ofbiz.service.DispatchContext; import org.ofbiz.service.LocalDispatcher; import org.ofbiz.service.ServiceUtil; @@ -78,8 +80,13 @@ public static final String module = WebToolsServices.class.getName(); public static Map entityImport(DispatchContext dctx, Map context) { - LocalDispatcher dispatcher = dctx.getDispatcher(); GenericValue userLogin = (GenericValue) context.get("userLogin"); + Security security = dctx.getSecurity(); + if (!security.hasPermission("ENTITY_MAINT", userLogin)) { + return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale"))); + } + + LocalDispatcher dispatcher = dctx.getDispatcher(); List messages = new ArrayList(); @@ -196,8 +203,13 @@ } public static Map entityImportDir(DispatchContext dctx, Map context) { - LocalDispatcher dispatcher = dctx.getDispatcher(); GenericValue userLogin = (GenericValue) context.get("userLogin"); + Security security = dctx.getSecurity(); + if (!security.hasPermission("ENTITY_MAINT", userLogin)) { + return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale"))); + } + + LocalDispatcher dispatcher = dctx.getDispatcher(); List messages = new ArrayList(); @@ -299,6 +311,12 @@ } public static Map entityImportReaders(DispatchContext dctx, Map context) { + GenericValue userLogin = (GenericValue) context.get("userLogin"); + Security security = dctx.getSecurity(); + if (!security.hasPermission("ENTITY_MAINT", userLogin)) { + return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale"))); + } + String readers = (String) context.get("readers"); String overrideDelegator = (String) context.get("overrideDelegator"); String overrideGroup = (String) context.get("overrideGroup"); @@ -394,6 +412,12 @@ } public static Map parseEntityXmlFile(DispatchContext dctx, Map context) { + GenericValue userLogin = (GenericValue) context.get("userLogin"); + Security security = dctx.getSecurity(); + if (!security.hasPermission("ENTITY_MAINT", userLogin)) { + return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale"))); + } + GenericDelegator delegator = dctx.getDelegator(); URL url = (URL)context.get("url"); @@ -430,6 +454,12 @@ } public static Map entityExportAll(DispatchContext dctx, Map context) { + GenericValue userLogin = (GenericValue) context.get("userLogin"); + Security security = dctx.getSecurity(); + if (!security.hasPermission("ENTITY_MAINT", userLogin)) { + return ServiceUtil.returnError(UtilProperties.getMessage("WebtoolsUiLabels", "WebtoolsPermissionError", (Locale) context.get("locale"))); + } + GenericDelegator delegator = dctx.getDelegator(); String outpath = (String)context.get("outpath"); // mandatory |
Free forum by Nabble | Edit this page |