IDEMPIERE-4213 Window Toolbar attached processes are doesn't validate role access (#265)

2020-09-22 04:52:46 +02:00 · 2020-09-22 04:52:46 +02:00 · 1ddbe3eef5
parent c5079d5106
commit 1ddbe3eef5
2 changed files with 17 additions and 1 deletions
--- a/org.adempiere.base/src/org/compiere/model/GridField.java
+++ b/org.adempiere.base/src/org/compiere/model/GridField.java
@ -505,6 +505,13 @@ public class GridField
 					return false;
 				if (!MRole.getDefault(ctx, false).isColumnAccess(AD_Table_ID, m_vo.AD_Column_ID, false))
 					return false;
+				if (getDisplayType() == DisplayType.Button && getAD_Process_ID() > 0) {
+					// Verify access to process for buttons
+					Boolean access = MRole.getDefault().getProcessAccess(getAD_Process_ID());
+					if (access == null || !access.booleanValue())
+						return false;
+				}
+				
 			}
 		}
 			
--- a/org.adempiere.base/src/org/compiere/model/MRole.java
+++ b/org.adempiere.base/src/org/compiere/model/MRole.java
@ -39,6 +39,7 @@ import java.util.logging.Level;
 import org.adempiere.exceptions.AdempiereException;
 import org.compiere.util.CLogger;
 import org.compiere.util.DB;
+import org.compiere.util.DisplayType;
 import org.compiere.util.Env;
 import org.compiere.util.Ini;
 import org.compiere.util.KeyNamePair;
@ -1463,7 +1464,15 @@ public final class MRole extends X_AD_Role implements ImmutablePOSupport
 		if (!isTableAccess(AD_Table_ID, ro))		//	No Access to Table		
 			return false;
 		loadColumnAccess(false);
-		
+
+		// Verify access to process for buttons
+		MColumn column = MColumn.get(Env.getCtx(), AD_Column_ID);
+		if (column.getAD_Reference_ID() == DisplayType.Button && column.getAD_Process_ID() > 0) {
+			Boolean access = MRole.getDefault().getProcessAccess(column.getAD_Process_ID());
+			if (access == null)
+				return false;
+		}
+
 		boolean retValue = true;		//	assuming exclusive
 		for (int i = 0; i < m_columnAccess.length; i++)
 		{