From 074be8ab1af61ea1362aee0188b2ac70f8b61005 Mon Sep 17 00:00:00 2001 From: Carlos Ruiz Date: Wed, 11 Dec 2013 10:11:50 -0500 Subject: [PATCH] IDEMPIERE-1624 Restrict access to System dashboards / based on patch from Nicolas Micoud (nmicoud) --- .../model/MDashboardContentAccess.java | 32 ++++++--- .../org/adempiere/webui/window/WGadgets.java | 70 ++++++++++--------- 2 files changed, 62 insertions(+), 40 deletions(-) diff --git a/org.adempiere.base/src/org/compiere/model/MDashboardContentAccess.java b/org.adempiere.base/src/org/compiere/model/MDashboardContentAccess.java index 12db4e1c60..19a324b980 100644 --- a/org.adempiere.base/src/org/compiere/model/MDashboardContentAccess.java +++ b/org.adempiere.base/src/org/compiere/model/MDashboardContentAccess.java @@ -54,38 +54,54 @@ public class MDashboardContentAccess extends X_PA_DashboardContent_Access { parameters.add(AD_Client_ID); StringBuffer sql= new StringBuffer(); + // First part : dashboards not configured in access and flagged to be shown in login (this is intended to show new dashboards, otherwise new dashboards won't be shown unless the user go and configure them) sql.append("SELECT PA_DashboardContent_ID,ColumnNo ") .append(" FROM PA_DashboardContent ") .append(" WHERE PA_DashboardContent_ID NOT IN (") .append(" SELECT PA_DashboardContent_ID ") .append(" FROM PA_DashboardContent_Access" ) - .append(" WHERE IsActive='Y' AND AD_Client_ID IN (0, ?))") + .append(" WHERE AD_Client_ID IN (0, ?))") .append(" AND IsShowInLogin='Y'") .append(" AND IsActive='Y' AND AD_Client_ID IN (0, ?)") .append(" UNION ALL") + // Second part : second part is to process the dashboards configured in content access .append(" SELECT ct.PA_DashboardContent_ID,ct.ColumnNo") .append(" FROM PA_DashboardContent ct") .append(" INNER JOIN PA_DashboardContent_Access cta on (ct.PA_DashboardContent_ID = cta.PA_DashboardContent_ID)") .append(" WHERE cta.IsActive='Y'") .append(" AND ct.IsActive='Y'"); - if(AD_Role >= 0){ - sql.append(" AND coalesce(cta.AD_Role_ID, ?) = ?"); + if(AD_Role >= 0) { + sql.append(" AND COALESCE(cta.AD_Role_ID, ?) = ?"); parameters.add(AD_Role); parameters.add(AD_Role); } - - if (AD_User >= 0){ - sql.append(" AND coalesce(cta.AD_User_ID, ?) = ?"); + if (AD_User >= 0) { + sql.append(" AND COALESCE(cta.AD_User_ID, ?) = ?"); parameters.add(AD_User); parameters.add(AD_User); } sql.append(" AND cta.AD_Client_ID in (0,?)"); parameters.add(AD_Client_ID); - + + // New part : remove dashboard if inactive records + sql.append(" AND ct.PA_DashboardContent_ID NOT IN (SELECT PA_DashboardContent_ID FROM PA_DashboardContent_Access WHERE IsActive='N' AND ct.AD_Client_ID in (0,?)"); + parameters.add(AD_Client_ID); + if (AD_Role >= 0) { + sql.append(" AND COALESCE(ct.AD_Role_ID, ?) = ?"); + parameters.add(AD_Role); + parameters.add(AD_Role); + } + if (AD_User >= 0) { + sql.append(" AND COALESCE(ct.AD_User_ID, ?) = ?"); + parameters.add(AD_User); + parameters.add(AD_User); + } + sql.append(")"); + sql.append(" ORDER BY ColumnNo"); - + PreparedStatement pstmt=null; ResultSet rs = null; diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WGadgets.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WGadgets.java index 60a0606c77..4a8b549d96 100644 --- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WGadgets.java +++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WGadgets.java @@ -230,51 +230,57 @@ public class WGadgets extends Window implements EventListener{ { Properties ctx = Env.getCtx(); - int AD_CLient_ID =Env.getAD_Client_ID(ctx); + int AD_Client_ID =Env.getAD_Client_ID(ctx); int AD_Role_ID = Env.getAD_Role_ID(ctx); int AD_User_ID = Env.getAD_User_ID(ctx); noItems.removeAll(noItems); yesItems.removeAll(yesItems); - String query = " SELECT ct.PA_DashboardContent_ID, ct.Name " - +" FROM PA_DashboardContent ct" - +" WHERE ct.AD_Client_ID IN (0,?)" - +" AND ct.IsActive='Y'" - +" AND ct.PA_DashboardContent_ID NOT IN (" - +" SELECT pre.PA_DashboardContent_ID" - +" FROM PA_DashboardPreference pre" - +" WHERE pre.AD_Client_ID IN (0,?)" - +" AND pre.AD_Role_ID = ?" - +" AND pre.AD_User_ID = ?" - +" AND pre.AD_Org_ID=0 " - +" AND pre.IsActive='Y') " - +" AND (" - +" ct.PA_DashboardContent_ID NOT IN ( SELECT PA_DashboardContent_ID " - +" FROM PA_DashboardContent_Access" - +" WHERE IsActive='Y' AND AD_Client_ID IN (0, ?))" - +" OR ct.PA_DashboardContent_ID IN ( SELECT cta.PA_DashboardContent_ID " - +" FROM PA_DashboardContent_Access cta " - +" WHERE cta.IsActive='Y'" - +" AND coalesce(cta.AD_Role_ID, ?) = ?" - +" AND coalesce(cta.AD_User_ID, ?) = ?" - +" AND cta.AD_Client_ID in (0,?) ) " - +" )"; - + String query = "" + + "SELECT ct.PA_DashboardContent_ID, " + + " ct.Name " + + "FROM PA_DashboardContent ct " + + "WHERE ct.AD_Client_ID IN ( 0, ? ) " + + " AND ct.IsActive = 'Y' " + + " AND ct.PA_DashboardContent_ID NOT IN (SELECT pre.PA_DashboardContent_ID " + + " FROM PA_DashboardPreference pre " + + " WHERE pre.AD_Client_ID IN ( 0, ? ) " + + " AND pre.AD_Role_ID = ? " + + " AND pre.AD_User_ID = ? " + + " AND pre.AD_Org_ID = 0 " + + " AND pre.IsActive = 'Y') " + + " AND ( ct.PA_DashboardContent_ID NOT IN (SELECT cta.PA_DashboardContent_ID " + + " FROM PA_DashboardContent_Access cta " + + " WHERE cta.IsActive = 'N' " + + " AND COALESCE(cta.AD_Role_ID, ?) = ? " + + " AND COALESCE(cta.AD_User_ID, ?) = ? " + + " AND cta.AD_Client_ID IN ( 0, ? )) " + + " OR ct.PA_DashboardContent_ID IN (SELECT cta.PA_DashboardContent_ID " + + " FROM PA_DashboardContent_Access cta " + + " WHERE cta.IsActive = 'Y' " + + " AND COALESCE(cta.AD_Role_ID, ?) = ? " + + " AND COALESCE(cta.AD_User_ID, ?) = ? " + + " AND cta.AD_Client_ID IN ( 0, ? )) ) "; + ResultSet rs = null; PreparedStatement pstmt = null; try { pstmt = DB.prepareStatement(query, null); - pstmt.setInt(1, AD_CLient_ID); - pstmt.setInt(2, AD_CLient_ID); + pstmt.setInt(1, AD_Client_ID); + pstmt.setInt(2, AD_Client_ID); pstmt.setInt(3, AD_Role_ID); pstmt.setInt(4, AD_User_ID); - pstmt.setInt(5, AD_CLient_ID); + pstmt.setInt(5, AD_Role_ID); pstmt.setInt(6, AD_Role_ID); - pstmt.setInt(7, AD_Role_ID); + pstmt.setInt(7, AD_User_ID); pstmt.setInt(8, AD_User_ID); - pstmt.setInt(9, AD_User_ID); - pstmt.setInt(10, AD_CLient_ID); + pstmt.setInt(9, AD_Client_ID); + pstmt.setInt(10, AD_Role_ID); + pstmt.setInt(11, AD_Role_ID); + pstmt.setInt(12, AD_User_ID); + pstmt.setInt(13, AD_User_ID); + pstmt.setInt(14, AD_Client_ID); rs = pstmt.executeQuery(); while (rs.next()) { @@ -298,7 +304,7 @@ public class WGadgets extends Window implements EventListener{ +" AND IsActive='Y'"; Query query1 =new Query(ctx,MDashboardPreference.Table_Name, where, null); - query1.setParameters(new Object[]{AD_User_ID,AD_Role_ID ,AD_CLient_ID}); + query1.setParameters(new Object[]{AD_User_ID,AD_Role_ID ,AD_Client_ID}); List preference=query1.list(); if(preference.size() > 0){