details: /erp/devel/pi/rev/717a56cbb955
changeset: 9816:717a56cbb955
user: Martin Taal <martin.taal <at> openbravo.com>
date: Fri Jan 14 16:56:06 2011 +0100
summary: Fixes issue 15660: I receive an error message when completing an
Invoice
diffstat:
src-test/org/openbravo/test/security/EntityAccessTest.java | 34 +++++++++++++-
src/org/openbravo/base/structure/BaseOBObject.java | 25 +++++++++-
src/org/openbravo/service/db/CallProcess.java | 4 +
3 files changed, 59 insertions(+), 4 deletions(-)
diffs (134 lines):
diff -r 515908ffb2af -r 717a56cbb955
src-test/org/openbravo/test/security/EntityAccessTest.java
--- a/src-test/org/openbravo/test/security/EntityAccessTest.java Fri Jan
14 15:14:31 2011 +0100
+++ b/src-test/org/openbravo/test/security/EntityAccessTest.java Fri Jan
14 16:56:06 2011 +0100
@@ -11,7 +11,7 @@
* under the License.
* The Original Code is Openbravo ERP.
* The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2008 Openbravo SLU
+ * All portions are Copyright (C) 2008-2011 Openbravo SLU
* All Rights Reserved.
* Contributor(s): ______________________________________.
************************************************************************
@@ -25,6 +25,8 @@
import org.hibernate.criterion.Expression;
import org.openbravo.base.exception.OBSecurityException;
import org.openbravo.base.provider.OBProvider;
+import org.openbravo.base.structure.BaseOBObject;
+import org.openbravo.dal.core.OBContext;
import org.openbravo.dal.security.EntityAccessChecker;
import org.openbravo.dal.service.OBCriteria;
import org.openbravo.dal.service.OBDal;
@@ -90,7 +92,8 @@
/**
* Checks the derived readable concept, only identifier fields of a derived
readable object may be
- * read.
+ * read. Also checks the allowRead concept of a BaseOBObject (
+ * {@link BaseOBObject#setAllowRead(boolean)})
*/
public void testCheckDerivedReadableCurrency() {
setUserContext(TEST2_USER_ID);
@@ -103,6 +106,33 @@
} catch (final OBSecurityException e) {
assertTrue("Wrong exception thrown: " + e.getMessage(),
e.getMessage().indexOf(
"is not directly readable") != -1);
+
+ try {
+ c.setAllowRead(true);
+ fail("Allow read my only be called in adminmode");
+ } catch (OBSecurityException x) {
+ OBContext.setAdminMode();
+ try {
+ c.setAllowRead(true);
+ } finally {
+ OBContext.restorePreviousMode();
+ }
+ // this should be allowed
+ log.debug(c.getCostingPrecision());
+ // set back
+ OBContext.setAdminMode();
+ try {
+ c.setAllowRead(false);
+ } finally {
+ OBContext.restorePreviousMode();
+ }
+ try {
+ c.setAllowRead(true);
+ fail("Allow read my only be called in adminmode");
+ } catch (OBSecurityException y) {
+ // okay
+ }
+ }
}
}
diff -r 515908ffb2af -r 717a56cbb955
src/org/openbravo/base/structure/BaseOBObject.java
--- a/src/org/openbravo/base/structure/BaseOBObject.java Fri Jan 14
15:14:31 2011 +0100
+++ b/src/org/openbravo/base/structure/BaseOBObject.java Fri Jan 14
16:56:06 2011 +0100
@@ -11,7 +11,7 @@
* under the License.
* The Original Code is Openbravo ERP.
* The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2008 Openbravo SLU
+ * All portions are Copyright (C) 2008-2011 Openbravo SLU
* All Rights Reserved.
* Contributor(s): ______________________________________.
************************************************************************
@@ -64,6 +64,9 @@
// computed once therefore an object type
private Boolean isDerivedReadable;
+ // if set to true then derived readable is not checked
+ private boolean allowRead = false;
+
// is used to set default data in a constructor of the generated class
// without a security check
protected void setDefaultValue(String propName, Object value) {
@@ -163,7 +166,8 @@
protected void checkDerivedReadable(Property p) {
final OBContext obContext = OBContext.getOBContext();
// obContext can be null in the OBContext initialize method
- if (obContext != null && obContext.isInitialized() &&
!obContext.isInAdministratorMode()) {
+ if (!isAllowRead() && obContext != null && obContext.isInitialized()
+ && !obContext.isInAdministratorMode()) {
if (isDerivedReadable == null) {
isDerivedReadable =
obContext.getEntityAccessChecker().isDerivedReadable(getEntity());
}
@@ -264,4 +268,21 @@
public void setNewOBObject(boolean newOBObject) {
this.newOBObject = newOBObject;
}
+
+ public boolean isAllowRead() {
+ return allowRead;
+ }
+
+ /**
+ * Sets if the object maybe read also by non-authorized users. Can only be
called in admin mode
+ * (see {@link OBContext#setAdminMode()}.
+ *
+ * @param allowRead
+ */
+ public void setAllowRead(boolean allowRead) {
+ if (!OBContext.getOBContext().isInAdministratorMode()) {
+ throw new OBSecurityException("setAllowRead may only be called in admin
mode");
+ }
+ this.allowRead = allowRead;
+ }
}
\ No newline at end of file
diff -r 515908ffb2af -r 717a56cbb955
src/org/openbravo/service/db/CallProcess.java
--- a/src/org/openbravo/service/db/CallProcess.java Fri Jan 14 15:14:31
2011 +0100
+++ b/src/org/openbravo/service/db/CallProcess.java Fri Jan 14 16:56:06
2011 +0100
@@ -133,6 +133,10 @@
pInstance.setProcess(process);
// must be set to true
pInstance.setActive(true);
+
+ // allow it to be read by others also
+ pInstance.setAllowRead(true);
+
if (recordID != null) {
pInstance.setRecordID(recordID);
} else {
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Openbravo-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openbravo-commits
