SimpleContentViewHandler.java

ashish Sat, 20 Dec 2014 01:26:34 -0800

Author: ashish
Date: Sat Dec 20 09:26:21 2014
New Revision: 1646934

URL: http://svn.apache.org/r1646934
Log:
Applied patch from jira issue - OFBIZ-4360 - Content is getting public to web 
search engine no privacy.
Thanks Deepak for the contribution. Thanks patrick LE BLAN for creating the 
issue.


Modified:
    
ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java

Modified: 
ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java?rev=1646934&r1=1646933&r2=1646934&view=diff
==============================================================================
--- 
ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
 (original)
+++ 
ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
 Sat Dec 20 09:26:21 2014
@@ -25,10 +25,12 @@ import java.sql.Timestamp;
 import java.text.ParseException;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
 
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.ofbiz.base.util.Debug;
 import org.ofbiz.base.util.GeneralException;
@@ -42,6 +44,10 @@ import org.ofbiz.entity.Delegator;
 import org.ofbiz.entity.GenericEntityException;
 import org.ofbiz.entity.GenericValue;
 import org.ofbiz.entity.util.EntityQuery;
+import org.ofbiz.entity.util.EntityUtilProperties;
+import org.ofbiz.service.GenericServiceException;
+import org.ofbiz.service.LocalDispatcher;
+import org.ofbiz.service.ServiceUtil;
 import org.ofbiz.webapp.view.AbstractViewHandler;
 import org.ofbiz.webapp.view.ViewHandlerException;
 import org.ofbiz.webapp.website.WebSiteWorker;
@@ -66,6 +72,9 @@ public class SimpleContentViewHandler ex
      */
     public void render(String name, String page, String info, String 
contentType, String encoding, HttpServletRequest request, HttpServletResponse 
response) throws ViewHandlerException {
 
+        LocalDispatcher dispatcher = (LocalDispatcher) 
request.getAttribute("dispatcher");
+        HttpSession session = request.getSession();
+        GenericValue userLogin = (GenericValue) 
session.getAttribute("userLogin");
         String contentId = request.getParameter("contentId");
         String rootContentId = request.getParameter("rootContentId");
         String mapKey = request.getParameter("mapKey");
@@ -136,6 +145,43 @@ public class SimpleContentViewHandler ex
                 if 
(!UtilValidate.isEmpty(dataResource.getString("dataResourceName"))) {
                     fileName = 
dataResource.getString("dataResourceName").replace(" ", "_"); // spaces in 
filenames can be a problem
                 }
+
+                // see if data resource is public or not
+                String isPublic = dataResource.getString("isPublic");
+                if (UtilValidate.isEmpty(isPublic)) {
+                    isPublic = "N";
+                }
+                // get the permission service required for streaming data; 
default is always the genericContentPermission
+                String permissionService = 
EntityUtilProperties.getPropertyValue("content.properties", 
"stream.permission.service", "genericContentPermission", delegator);
+
+                // not public check security
+                if (!"Y".equalsIgnoreCase(isPublic)) {
+                    // do security check
+                    Map<String, ? extends Object> permSvcCtx = 
UtilMisc.toMap("userLogin", userLogin, "locale", locale, "mainAction", "VIEW", 
"contentId", contentId);
+                    Map<String, Object> permSvcResp;
+                    try {
+                        permSvcResp = dispatcher.runSync(permissionService, 
permSvcCtx);
+                    } catch (GenericServiceException e) {
+                        Debug.logError(e, module);
+                        request.setAttribute("_ERROR_MESSAGE_", 
e.getMessage());
+                        throw new ViewHandlerException(e.getMessage());
+                    }
+                    if (ServiceUtil.isError(permSvcResp)) {
+                        String errorMsg = 
ServiceUtil.getErrorMessage(permSvcResp);
+                        Debug.logError(errorMsg, module);
+                        request.setAttribute("_ERROR_MESSAGE_", errorMsg);
+                        throw new ViewHandlerException(errorMsg);
+                    }
+
+                    // no service errors; now check the actual response
+                    Boolean hasPermission = (Boolean) 
permSvcResp.get("hasPermission");
+                    if (!hasPermission.booleanValue()) {
+                        String errorMsg = (String) 
permSvcResp.get("failMessage");
+                        Debug.logError(errorMsg, module);
+                        request.setAttribute("_ERROR_MESSAGE_", errorMsg);
+                        throw new ViewHandlerException(errorMsg);
+                    }
+                }
                 UtilHttp.streamContentToBrowser(response, bais, 
byteBuffer.limit(), contentType2, fileName);
             }
         } catch (GenericEntityException e) {

svn commit: r1646934 - /ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java

Reply via email to