This is an automated email from the ASF dual-hosted git repository. jacopoc pushed a commit to branch release24.09 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit e456b65f894ff58b0ea2a9415308fd77e280aaff Author: Jacopo Cappellato <[email protected]> AuthorDate: Sun May 10 09:57:52 2026 +0200 Fixed: Add permission checks for SERVICE_MAINT in CoreEvents to enhance security (cherry picked from commit f05a0c2268f163573a0e0895ec381593de1283db) --- .../java/org/apache/ofbiz/webapp/event/CoreEvents.java | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java index dabc221d8d..aab160ba77 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java @@ -113,6 +113,12 @@ public class CoreEvents { Locale locale = UtilHttp.getLocale(request); TimeZone timeZone = UtilHttp.getTimeZone(request); + if (!security.hasPermission("SERVICE_MAINT", userLogin)) { + String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.not_authorized_to_call", locale); + request.setAttribute("_ERROR_MESSAGE_", errMsg); + return "error"; + } + Map<String, Object> params = UtilHttp.getParameterMap(request); // get the schedule parameters String jobName = (String) params.remove("JOB_NAME"); @@ -434,11 +440,19 @@ public class CoreEvents { * @return Response code string */ public static String runService(HttpServletRequest request, HttpServletResponse response) { + Security security = (Security) request.getAttribute("security"); + GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin"); // get the mode and service name String serviceName = request.getParameter("serviceName"); String mode = request.getParameter("mode"); Locale locale = UtilHttp.getLocale(request); + if (!security.hasPermission("SERVICE_MAINT", userLogin)) { + String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.not_authorized_to_call", locale); + request.setAttribute("_ERROR_MESSAGE_", errMsg); + return "error"; + } + if (UtilValidate.isEmpty(serviceName)) { String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.must_specify_service_name", locale); request.setAttribute("_ERROR_MESSAGE_", errMsg); @@ -450,7 +464,6 @@ public class CoreEvents { } // now do a security check - Security security = (Security) request.getAttribute("security"); LocalDispatcher dispatcher = (LocalDispatcher) request.getAttribute("dispatcher"); //lookup the service definition to see if this service is externally available, if not require the SERVICE_INVOKE_ANY permission

