[OpenbravoERP-commits] devel/pi: Fixed issue 32819:An error is thrown when a Query List...

Sun, 01 May 2016 14:24:50 -0700 

details:   https://code.openbravo.com/erp/devel/pi/rev/9730a855daf3
changeset: 29370:9730a855daf3
user:      Inigo Sanchez <inigo.sanchez <at> openbravo.com>
date:      Sun May 01 18:02:32 2016 +0200
summary:   Fixed issue 32819:An error is thrown when a Query List Widget is 
fetched

The problem was that an exception is thrown because entity OBKMO_WidgetClass
is not readable by the user 100. The problem occurs when it is try to get a
WidgetClass to check security:
OBDal.getInstance().get(WidgetClass.class,parameters.get("widgetId"));

It has been resolved by adding a OBContext.setAdminMode(true) before obtain
WidgetClass class.

diffstat:

 
modules/org.openbravo.client.querylist/src/org/openbravo/client/querylist/QueryListDataSource.java
 |  61 +++++----
 1 files changed, 33 insertions(+), 28 deletions(-)

diffs (73 lines):

diff -r 4957d74ca93c -r 9730a855daf3 
modules/org.openbravo.client.querylist/src/org/openbravo/client/querylist/QueryListDataSource.java
--- 
a/modules/org.openbravo.client.querylist/src/org/openbravo/client/querylist/QueryListDataSource.java
        Sun May 01 19:01:03 2016 +0200
+++ 
b/modules/org.openbravo.client.querylist/src/org/openbravo/client/querylist/QueryListDataSource.java
        Sun May 01 18:02:32 2016 +0200
@@ -90,36 +90,41 @@
   @Override
   public void checkFetchDatasourceAccess(Map<String, String> parameters) {
     // Check security: continue only if the widget instance is visible for 
current user/role
-    WidgetClass widgetClass = OBDal.getInstance()
-        .get(WidgetClass.class, parameters.get("widgetId"));
-    WidgetInstance wi = OBDal.getInstance().get(WidgetInstance.class,
-        parameters.get("widgetInstanceId"));
+    OBContext.setAdminMode(true);
+    try {
+      WidgetClass widgetClass = OBDal.getInstance().get(WidgetClass.class,
+          parameters.get("widgetId"));
+      WidgetInstance wi = OBDal.getInstance().get(WidgetInstance.class,
+          parameters.get("widgetInstanceId"));
 
-    boolean accessibleWidgetInForm = false;
-    if (wi == null) {
-      accessibleWidgetInForm = isAccessibleWidgetInForm(widgetClass);
-    }
-    if (!accessibleWidgetInForm
-        && (wi == null || wi.getWidgetClass().getId() != widgetClass.getId())) 
{
-      // weird stuff: widget class doesn't match widget instance's class, most 
probably URL is
-      // not generated by UI, but user is typing it
-      log.error("User " + OBContext.getOBContext().getUser() + " with role "
-          + OBContext.getOBContext().getRole() + " is trying to access widget 
'"
-          + widgetClass.getWidgetTitle() + "' but widget istance doesn't match 
with class");
-      throw new 
OBSecurityException(OBMessageUtils.getI18NMessage("OBCQL_NoAccessToWidget",
-          new String[] { widgetClass.getWidgetTitle() }));
-    }
+      boolean accessibleWidgetInForm = false;
+      if (wi == null) {
+        accessibleWidgetInForm = isAccessibleWidgetInForm(widgetClass);
+      }
+      if (!accessibleWidgetInForm
+          && (wi == null || wi.getWidgetClass().getId() != 
widgetClass.getId())) {
+        // weird stuff: widget class doesn't match widget instance's class, 
most probably URL is
+        // not generated by UI, but user is typing it
+        log.error("User " + OBContext.getOBContext().getUser() + " with role "
+            + OBContext.getOBContext().getRole() + " is trying to access 
widget '"
+            + widgetClass.getWidgetTitle() + "' but widget istance doesn't 
match with class");
+        throw new 
OBSecurityException(OBMessageUtils.getI18NMessage("OBCQL_NoAccessToWidget",
+            new String[] { widgetClass.getWidgetTitle() }));
+      }
 
-    if (!accessibleWidgetInForm
-        && (OBContext.getOBContext() != null
-            && ((wi.getVisibleAtUser() != null && 
!wi.getVisibleAtUser().getId()
-                .equals(OBContext.getOBContext().getUser().getId()))) || 
(wi.getVisibleAtRole() != null && !wi
-            
.getVisibleAtRole().getId().equals(OBContext.getOBContext().getRole().getId()))))
 {
-      log.error("User " + OBContext.getOBContext().getUser() + " with role "
-          + OBContext.getOBContext().getRole() + " is trying to access widget 
'"
-          + widgetClass.getWidgetTitle() + "' which is not granted");
-      throw new 
OBSecurityException(OBMessageUtils.getI18NMessage("OBCQL_NoAccessToWidget",
-          new String[] { widgetClass.getWidgetTitle() }));
+      if (!accessibleWidgetInForm
+          && (OBContext.getOBContext() != null
+              && ((wi.getVisibleAtUser() != null && 
!wi.getVisibleAtUser().getId()
+                  .equals(OBContext.getOBContext().getUser().getId()))) || 
(wi.getVisibleAtRole() != null && !wi
+              
.getVisibleAtRole().getId().equals(OBContext.getOBContext().getRole().getId()))))
 {
+        log.error("User " + OBContext.getOBContext().getUser() + " with role "
+            + OBContext.getOBContext().getRole() + " is trying to access 
widget '"
+            + widgetClass.getWidgetTitle() + "' which is not granted");
+        throw new 
OBSecurityException(OBMessageUtils.getI18NMessage("OBCQL_NoAccessToWidget",
+            new String[] { widgetClass.getWidgetTitle() }));
+      }
+    } finally {
+      OBContext.restorePreviousMode();
     }
   }
 

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits

Reply via email to