details: https://code.openbravo.com/erp/devel/pi/rev/cab170f3cdc5
changeset: 35539:cab170f3cdc5
user: Javier Armendáriz <javier.armendariz <at> openbravo.com>
date: Tue Mar 12 19:24:58 2019 +0100
summary: Fixed issue 40303: Organization table shows all orgs regardless user
visibility
Added an HQL where clause for the organization tab to filter properly its data.
diffstat:
modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/TreeDatasourceService.java
| 16 +-
modules/org.openbravo.service.json/src/org/openbravo/service/json/AdvancedQueryBuilder.java
| 10 +-
src-db/database/sourcedata/AD_TAB.xml
| 1 +
src-test/src/org/openbravo/test/AllWebserviceTests.java
| 2 +
src-test/src/org/openbravo/test/datasource/OrganizationWindowRoleFilterTest.java
| 104 ++++++++++
5 files changed, 128 insertions(+), 5 deletions(-)
diffs (226 lines):
diff -r edbcd9f7b55c -r cab170f3cdc5
modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/TreeDatasourceService.java
---
a/modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/TreeDatasourceService.java
Fri Mar 15 11:53:09 2019 +0100
+++
b/modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/TreeDatasourceService.java
Tue Mar 12 19:24:58 2019 +0100
@@ -11,7 +11,7 @@
* under the License.
* The Original Code is Openbravo ERP.
* The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2013-2017 Openbravo SLU
+ * All portions are Copyright (C) 2013-2019 Openbravo SLU
* All Rights Reserved.
* Contributor(s): ______________________________________.
************************************************************************
@@ -31,6 +31,7 @@
import javax.enterprise.inject.UnsatisfiedResolutionException;
import javax.inject.Inject;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.codehaus.jettison.json.JSONArray;
@@ -75,6 +76,7 @@
private static final String AD_ORG_TABLE_ID = "155";
private static final String ROOT_ORGANIZATION_ID = "0";
private static final String SUMMARY_LEVEL_PROPERTY = "summaryLevel";
+ private static final String ACCESSIBLE_ORG_TREE = "#AccessibleOrgTree";
@Inject
private DataSourceServiceProvider dataSourceServiceProvider;
@@ -770,8 +772,7 @@
if (replacements.get(key).equals("'null'")) {
// Strip the "@" from the key
String keyWithoutAt = key.substring(1, key.length() - 1);
- hqlCopy = hqlCopy.replaceAll(key,
- "'" + (String)
RequestContext.get().getSessionAttribute(keyWithoutAt) + "'");
+ hqlCopy = hqlCopy.replaceAll(key,
getEscapedSessionAttribute(keyWithoutAt));
} else {
hqlCopy = hqlCopy.replaceAll(key, replacements.get(key));
}
@@ -779,6 +780,15 @@
return hqlCopy;
}
+ private String getEscapedSessionAttribute(String keyWithoutAt) {
+ String value = (String)
RequestContext.get().getSessionAttribute(keyWithoutAt);
+ if (ACCESSIBLE_ORG_TREE.equals(keyWithoutAt)) {
+ return value;
+ }
+
+ return "'" + StringEscapeUtils.escapeSql(value) + "'";
+ }
+
/**
* @param parameters
* a map with the parameters of the request
diff -r edbcd9f7b55c -r cab170f3cdc5
modules/org.openbravo.service.json/src/org/openbravo/service/json/AdvancedQueryBuilder.java
---
a/modules/org.openbravo.service.json/src/org/openbravo/service/json/AdvancedQueryBuilder.java
Fri Mar 15 11:53:09 2019 +0100
+++
b/modules/org.openbravo.service.json/src/org/openbravo/service/json/AdvancedQueryBuilder.java
Tue Mar 12 19:24:58 2019 +0100
@@ -128,6 +128,7 @@
private static final String OPERATOR_IBETWEEN = "iBetween";
private static final String OPERATOR_IBETWEENINCLUSIVE = "iBetweenInclusive";
public static final String OPERATOR_EXISTS = "exists";
+ private static final String ACCESIBLE_ORG_TREE_ARG = "#AccessibleOrgTree";
private JSONObject criteria = null;
@@ -1210,7 +1211,7 @@
}
private String substituteContextParameters(String currentWhereClause) {
- // This method will check for any remaining @param@s
+ // This method will check for any remaining @params@
// If there are still some in the whereclause, they will be resolved by
calling the getContext()
// method
if (!currentWhereClause.contains("@")) {
@@ -1285,7 +1286,12 @@
}
localWhereClause = prefix + getTypedParameterAlias() + suffix;
- typedParameters.add(paramValue);
+
+ if (ACCESIBLE_ORG_TREE_ARG.equals(param)) {
+
typedParameters.add(OBContext.getOBContext().getReadableOrganizations());
+ } else {
+ typedParameters.add(paramValue);
+ }
}
return localWhereClause;
}
diff -r edbcd9f7b55c -r cab170f3cdc5 src-db/database/sourcedata/AD_TAB.xml
--- a/src-db/database/sourcedata/AD_TAB.xml Fri Mar 15 11:53:09 2019 +0100
+++ b/src-db/database/sourcedata/AD_TAB.xml Tue Mar 12 19:24:58 2019 +0100
@@ -973,6 +973,7 @@
<!--143--> <ISSORTTAB><![CDATA[N]]></ISSORTTAB>
<!--143--> <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID>
<!--143--> <UIPATTERN><![CDATA[SR]]></UIPATTERN>
+<!--143--> <HQLWHERECLAUSE><![CDATA[e.id in
(@#AccessibleOrgTree@)]]></HQLWHERECLAUSE>
<!--143--> <SHOWPARENTBUTTONS><![CDATA[Y]]></SHOWPARENTBUTTONS>
<!--143-->
<AD_TABLE_TREE_ID><![CDATA[21E9F7EED1F24E95B0F4F21CF87AF995]]></AD_TABLE_TREE_ID>
<!--143-->
<DISABLE_PARENT_KEY_PROPERTY><![CDATA[N]]></DISABLE_PARENT_KEY_PROPERTY>
diff -r edbcd9f7b55c -r cab170f3cdc5
src-test/src/org/openbravo/test/AllWebserviceTests.java
--- a/src-test/src/org/openbravo/test/AllWebserviceTests.java Fri Mar 15
11:53:09 2019 +0100
+++ b/src-test/src/org/openbravo/test/AllWebserviceTests.java Tue Mar 12
19:24:58 2019 +0100
@@ -34,6 +34,7 @@
import org.openbravo.test.datasource.NonIdForeignKeyFilters;
import org.openbravo.test.datasource.OpenRecordAfterLogin;
import org.openbravo.test.datasource.OrganizationSelectorDataSourceTest;
+import org.openbravo.test.datasource.OrganizationWindowRoleFilterTest;
import org.openbravo.test.datasource.OtherDatasourceRequests;
import org.openbravo.test.datasource.ProductSelectorDataSourceTest;
import org.openbravo.test.datasource.ResetCookieOnLogin;
@@ -76,6 +77,7 @@
TestCSVEncoding.class, //
SelectorFieldPropertySelectorDSTest.class, //
SelectorPickListFieldsDataSourceTest.class, //
+ OrganizationWindowRoleFilterTest.class, //
OrganizationSelectorDataSourceTest.class, //
ProductSelectorDataSourceTest.class, //
TestComboDatasource.class, //
diff -r edbcd9f7b55c -r cab170f3cdc5
src-test/src/org/openbravo/test/datasource/OrganizationWindowRoleFilterTest.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++
b/src-test/src/org/openbravo/test/datasource/OrganizationWindowRoleFilterTest.java
Tue Mar 12 19:24:58 2019 +0100
@@ -0,0 +1,104 @@
+/*
+ *************************************************************************
+ * The contents of this file are subject to the Openbravo Public License
+ * Version 1.1 (the "License"), being the Mozilla Public License
+ * Version 1.1 with a permitted attribution clause; you may not use this
+ * file except in compliance with the License. You may obtain a copy of
+ * the License at http://www.openbravo.com/legal/license.html
+ * Software distributed under the License is distributed on an "AS IS"
+ * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+ * License for the specific language governing rights and limitations
+ * under the License.
+ * The Original Code is Openbravo ERP.
+ * The Initial Developer of the Original Code is Openbravo SLU
+ * All portions are Copyright (C) 2019 Openbravo SLU
+ * All Rights Reserved.
+ * Contributor(s): ______________________________________.
+ ************************************************************************
+ */
+package org.openbravo.test.datasource;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.openbravo.base.provider.OBProvider;
+import org.openbravo.dal.service.OBDal;
+import org.openbravo.model.ad.access.Role;
+import org.openbravo.model.ad.access.WindowAccess;
+import org.openbravo.model.ad.system.Client;
+import org.openbravo.model.ad.ui.Window;
+import org.openbravo.model.common.enterprise.Organization;
+
+/**
+ * Test class to verify that Organization Window shows only the readable
organizations for a role,
+ * when this role has access to only a subset of all available organizations
+ *
+ * @author jarmendariz
+ */
+public class OrganizationWindowRoleFilterTest extends BaseDataSourceTestDal {
+ private static final String F_B_SPAIN_EMPLOYEE_ROLE =
"D615084948E046E3A439915008F464A6";
+ private static final String NORTH_ZONE_ORGANIZATION =
"E443A31992CB4635AFCAEABE7183CE85";
+ private static final String F_B_INTL_GROUP_CLIENT =
"23C59575B9CF467C9620760EB255B389";
+ private static final String ASTERISK_ORGANIZATION = "0";
+ private static final String ORGANIZATION_WINDOW = "110";
+ private static final String EN_US_LANG = "192";
+ private String windowAccessId;
+
+ @Before
+ public void setUp() throws Exception {
+ super.setUp();
+ windowAccessId = enableOrgWindowsAccessToRole(F_B_SPAIN_EMPLOYEE_ROLE);
+ }
+
+ @Test
+ public void testOrganizationShowsOnlyReadableOrgsByRole() throws Exception {
+ changeProfile(F_B_SPAIN_EMPLOYEE_ROLE, EN_US_LANG,
NORTH_ZONE_ORGANIZATION, null);
+
+ Assert.assertEquals("Number of readable Organizations returned by
datasource not matching", 5,
+ getTotalOrganizationDSRequestResult());
+ }
+
+ @After
+ public void tearDown() {
+ removeOrgWindowAccess(windowAccessId);
+ windowAccessId = "";
+ }
+
+ private int getTotalOrganizationDSRequestResult() throws Exception {
+ Map<String, String> params = new HashMap<>();
+ params.put("_operationType", "fetch");
+ params.put("windowId", "110");
+ params.put("tabId", "143");
+ params.put("_startRow", "0");
+ params.put("_endRow", "100");
+
+ String response =
doRequest("/org.openbravo.service.datasource/Organization", params, 200,
+ "POST");
+ JSONObject resp = new JSONObject(response).getJSONObject("response");
+ return resp.getInt("totalRows");
+ }
+
+ private String enableOrgWindowsAccessToRole(String roleId) {
+ WindowAccess orgWindowAccess =
OBProvider.getInstance().get(WindowAccess.class);
+ orgWindowAccess.setWindow(OBDal.getInstance().getProxy(Window.class,
ORGANIZATION_WINDOW));
+ orgWindowAccess.setRole(OBDal.getInstance().getProxy(Role.class, roleId));
+ orgWindowAccess.setClient(OBDal.getInstance().getProxy(Client.class,
F_B_INTL_GROUP_CLIENT));
+ orgWindowAccess
+ .setOrganization(OBDal.getInstance().getProxy(Organization.class,
ASTERISK_ORGANIZATION));
+
+ OBDal.getInstance().save(orgWindowAccess);
+ OBDal.getInstance().commitAndClose();
+
+ return orgWindowAccess.getId();
+ }
+
+ private void removeOrgWindowAccess(String winAccessId) {
+ OBDal.getInstance().remove(OBDal.getInstance().get(WindowAccess.class,
winAccessId));
+ OBDal.getInstance().commitAndClose();
+ }
+}
_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits
