[jira] [Commented] (OFBIZ-6228) The role permission function fail

Thu, 02 Apr 2015 18:18:06 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-6228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14393875#comment-14393875
 ] 

Jiancai Hao commented on OFBIZ-6228:
------------------------------------

I noticed this code snipplet:
...
    private boolean evalRoleMember(GenericValue userLogin) {
        if (nameOrRole == null) {
            Debug.logWarning("Null role type name passed for evaluation", 
module);
            return false;
        }
        List<GenericValue> partyRoles = null;
        /** (jaz) THIS IS NOT SECURE AT ALL
        try {
            partyRoles = delegator.findByAnd("PartyRole", "roleTypeId", 
nameOrRole, "partyId", userLogin.get("partyId"));
        } catch (GenericEntityException e) {
            Debug.logError(e, "Unable to lookup PartyRole records", module);
        }
        **/

        if (UtilValidate.isNotEmpty(partyRoles)) {
            partyRoles = EntityUtil.filterByDate(partyRoles);
            if (UtilValidate.isNotEmpty(partyRoles)) {
                return true;
            }
        }
        return false;
    }
...

The roles searching are commented out by jaz, seems considering the security 
reason. So how can we fix this?

> The role permission function fail
> ---------------------------------
>
>                 Key: OFBIZ-6228
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6228
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jiancai Hao
>              Labels: permission, role
>
> When set a service by role permission like that:
>       <service name="learningCallingServiceOneWithPermission" engine="java" 
> location="org.ofbiz.learning.learning.LearningServices" 
> invoke="callingServiceOne">
>             <description>First Service Called From The 
> Controller</description>
>             <required-permissions join-type="OR">
>                   <!-- <check-permission permission="LEARN_VIEW" /> -->
>                   <check-role-member role-type="CUSTOMER"/>
>             </required-permissions>
>             <implements service="learningInterface" />
>       </service>
> ...
> and then assign the partyId for example 10010 with the role of "CUSTOMER". 
> Login using this party and call the service 
> "learningCallingServiceOneWithPermission", the party don't get the permission.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to