Author: ashish
Date: Sat Dec 20 09:44:24 2014
New Revision: 1646938
URL: http://svn.apache.org/r1646938
Log:
Applied bug fix from trunk r1646934.
====================================================================================
Applied patch from jira issue - OFBIZ-4360 - Content is getting public to web
search engine no privacy.
Thanks Deepak for the contribution. Thanks patrick LE BLAN for creating the
issue.
====================================================================================
Modified:
ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
Modified:
ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java?rev=1646938&r1=1646937&r2=1646938&view=diff
==============================================================================
---
ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
(original)
+++
ofbiz/branches/release13.07/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
Sat Dec 20 09:44:24 2014
@@ -25,10 +25,12 @@ import java.sql.Timestamp;
import java.text.ParseException;
import java.util.List;
import java.util.Locale;
+import java.util.Map;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.GeneralException;
@@ -41,6 +43,10 @@ import org.ofbiz.content.data.DataResour
import org.ofbiz.entity.Delegator;
import org.ofbiz.entity.GenericEntityException;
import org.ofbiz.entity.GenericValue;
+import org.ofbiz.entity.util.EntityUtilProperties;
+import org.ofbiz.service.GenericServiceException;
+import org.ofbiz.service.LocalDispatcher;
+import org.ofbiz.service.ServiceUtil;
import org.ofbiz.webapp.view.AbstractViewHandler;
import org.ofbiz.webapp.view.ViewHandlerException;
import org.ofbiz.webapp.website.WebSiteWorker;
@@ -62,6 +68,9 @@ public class SimpleContentViewHandler ex
*/
public void render(String name, String page, String info, String
contentType, String encoding, HttpServletRequest request, HttpServletResponse
response) throws ViewHandlerException {
+ LocalDispatcher dispatcher = (LocalDispatcher)
request.getAttribute("dispatcher");
+ HttpSession session = request.getSession();
+ GenericValue userLogin = (GenericValue)
session.getAttribute("userLogin");
String contentId = request.getParameter("contentId");
String rootContentId = request.getParameter("rootContentId");
String mapKey = request.getParameter("mapKey");
@@ -141,13 +150,50 @@ public class SimpleContentViewHandler ex
if (UtilValidate.isEmpty(charset)) {
charset = "UTF-8";
}
-
+
// setup content type
String contentType2 = UtilValidate.isNotEmpty(mimeTypeId) ?
mimeTypeId + "; charset=" +charset : contentType;
String fileName = null;
if
(!UtilValidate.isEmpty(dataResource.getString("dataResourceName"))) {
fileName =
dataResource.getString("dataResourceName").replace(" ", "_"); // spaces in
filenames can be a problem
}
+
+ // see if data resource is public or not
+ String isPublic = dataResource.getString("isPublic");
+ if (UtilValidate.isEmpty(isPublic)) {
+ isPublic = "N";
+ }
+ // get the permission service required for streaming data;
default is always the genericContentPermission
+ String permissionService =
EntityUtilProperties.getPropertyValue("content.properties",
"stream.permission.service", "genericContentPermission", delegator);
+
+ // not public check security
+ if (!"Y".equalsIgnoreCase(isPublic)) {
+ // do security check
+ Map<String, ? extends Object> permSvcCtx =
UtilMisc.toMap("userLogin", userLogin, "locale", locale, "mainAction", "VIEW",
"contentId", contentId);
+ Map<String, Object> permSvcResp;
+ try {
+ permSvcResp = dispatcher.runSync(permissionService,
permSvcCtx);
+ } catch (GenericServiceException e) {
+ Debug.logError(e, module);
+ request.setAttribute("_ERROR_MESSAGE_",
e.getMessage());
+ throw new ViewHandlerException(e.getMessage());
+ }
+ if (ServiceUtil.isError(permSvcResp)) {
+ String errorMsg =
ServiceUtil.getErrorMessage(permSvcResp);
+ Debug.logError(errorMsg, module);
+ request.setAttribute("_ERROR_MESSAGE_", errorMsg);
+ throw new ViewHandlerException(errorMsg);
+ }
+
+ // no service errors; now check the actual response
+ Boolean hasPermission = (Boolean)
permSvcResp.get("hasPermission");
+ if (!hasPermission.booleanValue()) {
+ String errorMsg = (String)
permSvcResp.get("failMessage");
+ Debug.logError(errorMsg, module);
+ request.setAttribute("_ERROR_MESSAGE_", errorMsg);
+ throw new ViewHandlerException(errorMsg);
+ }
+ }
UtilHttp.streamContentToBrowser(response, bais,
byteBuffer.limit(), contentType2, fileName);
}
} catch (GenericEntityException e) {
