details: /erp/devel/main/rev/a7f7484b9d64 changeset: 8364:a7f7484b9d64 user: Antonio Moreno <antonio.moreno <at> openbravo.com> date: Thu Sep 09 11:12:58 2010 +0200 summary: Fixed issue 14491. Added a less strict admin mode in DAL
details: /erp/devel/main/rev/1a70d010c512 changeset: 8365:1a70d010c512 user: Antonio Moreno <antonio.moreno <at> openbravo.com> date: Thu Sep 09 11:58:24 2010 +0200 summary: Related to issue 14491. Added missing license details: /erp/devel/main/rev/177150e9722d changeset: 8366:177150e9722d user: RM packaging bot <staff.rm <at> openbravo.com> date: Fri Sep 10 04:10:44 2010 +0000 summary: CI: promote changesets from pi to main diffstat: src-db/database/sourcedata/AD_MODULE.xml | 2 +- src-test/org/openbravo/test/dal/DoOrgClientAccessCheckTest.java | 99 ++++++++++ src/org/openbravo/dal/core/OBContext.java | 69 ++++++- src/org/openbravo/dal/security/SecurityChecker.java | 3 +- 4 files changed, 163 insertions(+), 10 deletions(-) diffs (257 lines): diff -r b4257b2efa7a -r 177150e9722d src-db/database/sourcedata/AD_MODULE.xml --- a/src-db/database/sourcedata/AD_MODULE.xml Thu Sep 09 09:16:22 2010 +0200 +++ b/src-db/database/sourcedata/AD_MODULE.xml Fri Sep 10 04:10:44 2010 +0000 @@ -6,7 +6,7 @@ <!--0--> <AD_ORG_ID><![CDATA[0]]></AD_ORG_ID> <!--0--> <ISACTIVE><![CDATA[Y]]></ISACTIVE> <!--0--> <NAME><![CDATA[core]]></NAME> -<!--0--> <VERSION><![CDATA[2.50.18350]]></VERSION> +<!--0--> <VERSION><![CDATA[2.50.18365]]></VERSION> <!--0--> <DESCRIPTION><![CDATA[Core module is the base one]]></DESCRIPTION> <!--0--> <HELP><![CDATA[Core module is the base one, all developments in core are included as part of the standard Openbravo ERP.]]></HELP> <!--0--> <URL><![CDATA[www.openbravo.com]]></URL> diff -r b4257b2efa7a -r 177150e9722d src-test/org/openbravo/test/dal/DoOrgClientAccessCheckTest.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src-test/org/openbravo/test/dal/DoOrgClientAccessCheckTest.java Fri Sep 10 04:10:44 2010 +0000 @@ -0,0 +1,99 @@ +/* + ************************************************************************* + * The contents of this file are subject to the Openbravo Public License + * Version 1.0 (the "License"), being the Mozilla Public License + * Version 1.1 with a permitted attribution clause; you may not use this + * file except in compliance with the License. You may obtain a copy of + * the License at http://www.openbravo.com/legal/license.html + * Software distributed under the License is distributed on an "AS IS" + * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the + * License for the specific language governing rights and limitations + * under the License. + * The Original Code is Openbravo ERP. + * The Initial Developer of the Original Code is Openbravo SLU + * All portions are Copyright (C) 2010 Openbravo SLU + * All Rights Reserved. + * Contributor(s): ______________________________________. + ************************************************************************ + */ + +package org.openbravo.test.dal; + +import org.openbravo.base.exception.OBSecurityException; +import org.openbravo.base.provider.OBProvider; +import org.openbravo.dal.core.OBContext; +import org.openbravo.dal.service.OBDal; +import org.openbravo.model.ad.system.Client; +import org.openbravo.model.ad.utility.Image; +import org.openbravo.model.common.enterprise.Organization; +import org.openbravo.test.base.BaseTest; + +public class DoOrgClientAccessCheckTest extends BaseTest { + + public void testNormalAdminMode() { + + setBigBazaarUserContext(); + OBContext.setAdminMode(); + try { + insertImage("0"); + } catch (final OBSecurityException e) { + fail("Security shouldn't fail in normal admin mode"); + } finally { + OBContext.restorePreviousMode(); + } + } + + public void testDoOrgClientAccessCheckWrongClient() { + + setBigBazaarUserContext(); + OBContext.setAdminMode(true); + try { + // This should fail, because we are using admin mode with Client/Org filtering, and the client + // is wrong + insertImage("0"); + fail("No security check"); + } catch (final OBSecurityException e) { + } finally { + OBContext.restorePreviousMode(); + } + } + + public void testDoOrgClientAccessCheck() { + + setBigBazaarUserContext(); + OBContext.setAdminMode(true); + try { + // This should work, even if we are filtering, because the client is compatible + insertImage("1000000"); + } catch (final OBSecurityException e) { + fail("Security shouldn't fail if client/org is used"); + } finally { + OBContext.restorePreviousMode(); + } + } + + public void testNormalUserMode() { + + setBigBazaarUserContext(); + try { + insertImage("0"); + fail("No security check"); + } catch (final OBSecurityException e) { + // this is correct, as a normal user shouldn't be able to write the image in client 0 + } + } + + private void insertImage(String clientId) { + Client client0 = OBDal.getInstance().get(Client.class, clientId); + Organization org0 = OBDal.getInstance().get(Organization.class, "0"); + Image image = OBProvider.getInstance().get(Image.class); + image.setName("ImageTest"); + image.setClient(client0); + image.setOrganization(org0); + OBDal.getInstance().save(image); + OBDal.getInstance().flush(); + OBDal.getInstance().remove(image); + OBDal.getInstance().flush(); + } + +} diff -r b4257b2efa7a -r 177150e9722d src/org/openbravo/dal/core/OBContext.java --- a/src/org/openbravo/dal/core/OBContext.java Thu Sep 09 09:16:22 2010 +0200 +++ b/src/org/openbravo/dal/core/OBContext.java Fri Sep 10 04:10:44 2010 +0000 @@ -89,7 +89,7 @@ private static ThreadLocal<OBContext> adminModeSet = new ThreadLocal<OBContext>(); - private static ThreadLocal<Stack<Boolean>> adminModeStack = new ThreadLocal<Stack<Boolean>>(); + private static ThreadLocal<Stack<OBAdminMode>> adminModeStack = new ThreadLocal<Stack<OBAdminMode>>(); private static ThreadLocal<List<String>> adminModeTrace = new ThreadLocal<List<String>>(); public static final String CONTEXT_PARAM = "#OBContext"; @@ -132,11 +132,16 @@ * * To restore the previous privileges call the {...@link #restorePreviousMode()}. * + * @param chekEntityAccess + * Whether entity access should also be checked * @see OBContext#restorePreviousMode() * @since 2.50MP18 */ - public static void setAdminMode() { - getAdminModeStack().push(Boolean.TRUE); + public static void setAdminMode(boolean doOrgClientAccessCheck) { + OBAdminMode am = new OBAdminMode(); + am.setAdminMode(true); + am.setOrgClientAccessCheck(doOrgClientAccessCheck); + getAdminModeStack().push(am); if (OBContext.getOBContext() == null) { OBContext.setAdminContextLocally(); } else if (OBContext.getOBContext() == adminContext) { @@ -147,9 +152,25 @@ } } - private static Stack<Boolean> getAdminModeStack() { + /** + * Let's the current user run with Administrator privileges. If there is no current user then the + * special Administrator context is used. + * + * To restore the previous privileges call the {...@link #restorePreviousMode()}. + * + * If this method is used, entity access will also be checked. If you don't want entity access to + * be checked, you should use {...@link #setAdminMode(boolean checkEntityAccess)} + * + * @see OBContext#restorePreviousMode() + * @since 2.50MP18 + */ + public static void setAdminMode() { + setAdminMode(false); + } + + private static Stack<OBAdminMode> getAdminModeStack() { if (adminModeStack.get() == null) { - adminModeStack.set(new Stack<Boolean>()); + adminModeStack.set(new Stack<OBAdminMode>()); } return adminModeStack.get(); } @@ -171,7 +192,7 @@ */ public static void restorePreviousMode() { // remove the last admin mode from the stack - final Stack<Boolean> stack = getAdminModeStack(); + final Stack<OBAdminMode> stack = getAdminModeStack(); if (stack.size() > 0) { stack.pop(); } else { @@ -696,7 +717,10 @@ // can't use enableAsAdminContext here otherwise there is a danger of // recursive/infinite calls. // enableAsAdminContext(); - getAdminModeStack().push(Boolean.TRUE); + OBAdminMode am = new OBAdminMode(); + am.setAdminMode(true); + am.setOrgClientAccessCheck(true); + getAdminModeStack().push(am); try { setUser(u); Hibernate.initialize(getUser().getClient()); @@ -949,12 +973,19 @@ } public boolean isInAdministratorMode() { - if (getAdminModeStack().size() > 0 && getAdminModeStack().peek()) { + if (getAdminModeStack().size() > 0 && getAdminModeStack().peek().isAdminMode()) { return true; } return adminModeSet.get() != null || isAdministrator; } + public boolean doOrgClientAccessCheck() { + if (getAdminModeStack().size() > 0 && !getAdminModeStack().peek().doOrgClientAccessCheck()) { + return false; + } + return !(adminModeSet.get() != null || isAdministrator); + } + public boolean isAdminContext() { return this == adminContext; } @@ -1035,4 +1066,26 @@ public void setNewUI(boolean newUI) { this.newUI = newUI; } + + private static class OBAdminMode { + + private boolean adminMode; + private boolean doOrgClientAccessCheck; + + public void setAdminMode(boolean adminMode) { + this.adminMode = adminMode; + } + + public boolean isAdminMode() { + return adminMode; + } + + public void setOrgClientAccessCheck(boolean doOrgClientAccessCheck) { + this.doOrgClientAccessCheck = doOrgClientAccessCheck; + } + + public boolean doOrgClientAccessCheck() { + return doOrgClientAccessCheck; + } + } } \ No newline at end of file diff -r b4257b2efa7a -r 177150e9722d src/org/openbravo/dal/security/SecurityChecker.java --- a/src/org/openbravo/dal/security/SecurityChecker.java Thu Sep 09 09:16:22 2010 +0200 +++ b/src/org/openbravo/dal/security/SecurityChecker.java Fri Sep 10 04:10:44 2010 +0000 @@ -159,7 +159,8 @@ } final Entity entity = ((BaseOBObject) obj).getEntity(); - if (!obContext.isInAdministratorMode() && clientId.length() > 0) { + if ((!obContext.isInAdministratorMode() || obContext.doOrgClientAccessCheck()) + && clientId.length() > 0) { if (obj instanceof ClientEnabled) { if (!obContext.getCurrentClient().getId().equals(clientId)) { // TODO: maybe move rollback to exception throwing ------------------------------------------------------------------------------ Automate Storage Tiering Simply Optimize IT performance and efficiency through flexible, powerful, automated storage tiering capabilities. View this brief to learn how you can reduce costs and improve performance. http://p.sf.net/sfu/dell-sfdev2dev _______________________________________________ Openbravo-commits mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openbravo-commits
