This is an automated email from the ASF dual-hosted git repository.

jacopoc pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit e456b65f894ff58b0ea2a9415308fd77e280aaff
Author: Jacopo Cappellato <[email protected]>
AuthorDate: Sun May 10 09:57:52 2026 +0200

    Fixed: Add permission checks for SERVICE_MAINT in CoreEvents to enhance 
security
    
    (cherry picked from commit f05a0c2268f163573a0e0895ec381593de1283db)
---
 .../java/org/apache/ofbiz/webapp/event/CoreEvents.java    | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java
index dabc221d8d..aab160ba77 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java
@@ -113,6 +113,12 @@ public class CoreEvents {
         Locale locale = UtilHttp.getLocale(request);
         TimeZone timeZone = UtilHttp.getTimeZone(request);
 
+        if (!security.hasPermission("SERVICE_MAINT", userLogin)) {
+            String errMsg = UtilProperties.getMessage(ERR_RESOURCE, 
"coreEvents.not_authorized_to_call", locale);
+            request.setAttribute("_ERROR_MESSAGE_", errMsg);
+            return "error";
+        }
+
         Map<String, Object> params = UtilHttp.getParameterMap(request);
         // get the schedule parameters
         String jobName = (String) params.remove("JOB_NAME");
@@ -434,11 +440,19 @@ public class CoreEvents {
      * @return Response code string
      */
     public static String runService(HttpServletRequest request, 
HttpServletResponse response) {
+        Security security = (Security) request.getAttribute("security");
+        GenericValue userLogin = (GenericValue) 
request.getSession().getAttribute("userLogin");
         // get the mode and service name
         String serviceName = request.getParameter("serviceName");
         String mode = request.getParameter("mode");
         Locale locale = UtilHttp.getLocale(request);
 
+        if (!security.hasPermission("SERVICE_MAINT", userLogin)) {
+            String errMsg = UtilProperties.getMessage(ERR_RESOURCE, 
"coreEvents.not_authorized_to_call", locale);
+            request.setAttribute("_ERROR_MESSAGE_", errMsg);
+            return "error";
+        }
+
         if (UtilValidate.isEmpty(serviceName)) {
             String errMsg = UtilProperties.getMessage(ERR_RESOURCE, 
"coreEvents.must_specify_service_name", locale);
             request.setAttribute("_ERROR_MESSAGE_", errMsg);
@@ -450,7 +464,6 @@ public class CoreEvents {
         }
 
         // now do a security check
-        Security security = (Security) request.getAttribute("security");
         LocalDispatcher dispatcher = (LocalDispatcher) 
request.getAttribute("dispatcher");
 
         //lookup the service definition to see if this service is externally 
available, if not require the SERVICE_INVOKE_ANY permission

Reply via email to