Author: jleroux
Date: Sun Sep 13 08:31:55 2015
New Revision: 1702704
URL: http://svn.apache.org/r1702704
Log:
A patch for "createQuoteRole, createContentRole, and createRequirementRole
allow for adding Roles to a Party without permissions"
https://issues.apache.org/jira/browse/OFBIZ-6605
Rerported by Forrest Rae:
The following functions automatically add a PartyRole entry if the PartyRole
does not exist. This is possible even when the userLogin doesn't have
PARTYMGR_UPDATE or PARTYMGR_CREATE.
createQuoteRole
createContentRole
createRequirementRole
Repo:
1) Remove PARTYMGR_UPDATE or PARTYMGR_CREATE permissions from the ORDERENTRY
group.
2) Login as DemoRepStore
3) Create a Quote
4) Add a QuoteRole with partyId of DemoRepStore and Role of your choosing.
5) View DemoRepStore roles.
This is a security problem for anyone building component that leverages Role
based security.
jleroux: simple solution, check before creating the new role the user has
PARTYMGR_UPDATE or PARTYMGR_CREATE.
Modified:
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml
Modified:
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
---
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
(original)
+++
ofbiz/trunk/applications/content/script/org/ofbiz/content/content/ContentServices.xml
Sun Sep 13 08:31:55 2015
@@ -278,6 +278,14 @@
<set-pk-fields value-field="partyRolePK" map="parameters"/>
<find-by-primary-key entity-name="PartyRole" map="partyRolePK"
value-field="partyRole"/>
<if-empty field="partyRole">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels"
property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels"
property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value entity-name="PartyRole" map="partyRolePK"
value-field="partyRole"/>
<create-value value-field="partyRole"/>
</if-empty>
Modified:
ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
(original)
+++
ofbiz/trunk/applications/order/script/org/ofbiz/order/quote/QuoteServices.xml
Sun Sep 13 08:31:55 2015
@@ -282,6 +282,14 @@ under the License.
<set from-field="parameters.roleTypeId"
field="lookupPKMap.roleTypeId"/>
<find-by-primary-key entity-name="PartyRole" map="lookupPKMap"
value-field="partyRole"/>
<if-empty field="partyRole.partyId">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels"
property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels"
property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value value-field="partyRole" entity-name="PartyRole"/>
<set-pk-fields map="lookupPKMap" value-field="partyRole"/>
<create-value value-field="partyRole"/>
Modified:
ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
(original)
+++
ofbiz/trunk/applications/order/script/org/ofbiz/order/requirement/RequirementServices.xml
Sun Sep 13 08:31:55 2015
@@ -107,6 +107,14 @@ under the License.
<set from-field="parameters.roleTypeId"
field="lookupPKMap.roleTypeId"/>
<find-by-primary-key entity-name="PartyRole" map="lookupPKMap"
value-field="partyRole"/>
<if-empty field="partyRole.partyId">
+ <check-permission permission="PARTYMGR" action="_CREATE">
+ <fail-property resource="OrderErrorUiLabels"
property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
+ <check-permission permission="PARTYMGR" action="_UPDATE">
+ <fail-property resource="OrderErrorUiLabels"
property="OrderErrorCreatePermissionError"/>
+ </check-permission>
+ <check-errors/>
<make-value value-field="partyRole" entity-name="PartyRole"/>
<set-pk-fields map="lookupPKMap" value-field="partyRole"/>
<create-value value-field="partyRole"/>
Modified: ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml?rev=1702704&r1=1702703&r2=1702704&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml (original)
+++ ofbiz/trunk/applications/party/config/PartyErrorUiLabels.xml Sun Sep 13
08:31:55 2015
@@ -1171,6 +1171,16 @@
<value xml:lang="zh">å¿
é¡»çåæ° 'email' ä¸è½ä¸ºç©ºã</value>
<value xml:lang="zh-TW">å¿
è¦ç忏 'email' ä¸è½çºç©º.</value>
</property>
+ <property key="PartyErrorCreatePermissionError">
+ <value xml:lang="ar">خطأ Ø£Ù
ÙÙ: ÙØ¬Ø¨ Ø£Ù ÙÙÙÙ ÙØ¯ÙÙ
أذ٠PARTYMGR_CREATE Ø£Ù PARTYMGR_UPDATE ÙØªØ´ØºÙ
${resourceDescription}</value>
+ <value xml:lang="de">Berechtigungsfehler: Um ${resourceDescription}
auszuführen muss man PARTYMGR_CREATE oder PARTYMGR_UPDATE Berechtigungen
haben</value>
+ <value xml:lang="en">Security Error: to run ${resourceDescription} you
must have the PARTYMGR_CREATE or PARTYMGR_UPDATE permission</value>
+ <value xml:lang="fr">Erreur de sécurité : pour effectuer
${resourceDescription} vous devez avoir l'autorisation PARTYMGR_CREATE ou
PARTYMGR_UPDATE</value>
+ <value xml:lang="it">Errore di sicurezza: per eseguire
${resourceDescription} devi avere il permesso PARTYMGR_CREATE o
PARTYMGR_UPDATE</value>
+ <value xml:lang="ja">ã»ãã¥ãªãã£ã¨ã©ã¼:
${resourceDescription} ãå®è¡ããã«ã¯ PARTYMGR_CREATE ã¾ãã¯
PARTYMGR_UPDATE 権éãå¿
è¦ã§ã</value>
+ <value xml:lang="vi">Lá»i phân quyá»n: Äá» thá»±c thi
${resourceDescription} bạn cần có quyá»n PARTYMGR_CREATE hoặc
PARTYMGR_UPDATE</value>
+ <value
xml:lang="zh">ç³»ç»é误ï¼è¦è¿è¡${resourceDescription}ï¼ä½ å¿
é¡»æ
PARTYMGR_CREATE æ PARTYMGR_UPDATE æé</value>
+ </property>
<property key="person.create.db_error">
<value xml:lang="de">Kann Informationen zur Person nicht hinzufügen
(Schreibfehler): ${0}</value>
<value xml:lang="en">Could not add person info (write failure):
${0}</value>