From 1ddbe3eef5c02e457a1d8f740cd1b15e02c3fff0 Mon Sep 17 00:00:00 2001
From: Carlos Ruiz <carg67@gmail.com>
Date: Tue, 22 Sep 2020 04:52:46 +0200
Subject: [PATCH] IDEMPIERE-4213 Window Toolbar attached processes are doesn't
 validate role access (#265)

---
 .../src/org/compiere/model/GridField.java             |  7 +++++++
 org.adempiere.base/src/org/compiere/model/MRole.java  | 11 ++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/org.adempiere.base/src/org/compiere/model/GridField.java b/org.adempiere.base/src/org/compiere/model/GridField.java
index e9a5410d65..0865d69828 100644
--- a/org.adempiere.base/src/org/compiere/model/GridField.java
+++ b/org.adempiere.base/src/org/compiere/model/GridField.java
@@ -505,6 +505,13 @@ public class GridField
 					return false;
 				if (!MRole.getDefault(ctx, false).isColumnAccess(AD_Table_ID, m_vo.AD_Column_ID, false))
 					return false;
+				if (getDisplayType() == DisplayType.Button && getAD_Process_ID() > 0) {
+					// Verify access to process for buttons
+					Boolean access = MRole.getDefault().getProcessAccess(getAD_Process_ID());
+					if (access == null || !access.booleanValue())
+						return false;
+				}
+				
 			}
 		}
 			
diff --git a/org.adempiere.base/src/org/compiere/model/MRole.java b/org.adempiere.base/src/org/compiere/model/MRole.java
index 8e7ef1fef2..4f3a8370d4 100644
--- a/org.adempiere.base/src/org/compiere/model/MRole.java
+++ b/org.adempiere.base/src/org/compiere/model/MRole.java
@@ -39,6 +39,7 @@ import java.util.logging.Level;
 import org.adempiere.exceptions.AdempiereException;
 import org.compiere.util.CLogger;
 import org.compiere.util.DB;
+import org.compiere.util.DisplayType;
 import org.compiere.util.Env;
 import org.compiere.util.Ini;
 import org.compiere.util.KeyNamePair;
@@ -1463,7 +1464,15 @@ public final class MRole extends X_AD_Role implements ImmutablePOSupport
 		if (!isTableAccess(AD_Table_ID, ro))		//	No Access to Table		
 			return false;
 		loadColumnAccess(false);
-		
+
+		// Verify access to process for buttons
+		MColumn column = MColumn.get(Env.getCtx(), AD_Column_ID);
+		if (column.getAD_Reference_ID() == DisplayType.Button && column.getAD_Process_ID() > 0) {
+			Boolean access = MRole.getDefault().getProcessAccess(column.getAD_Process_ID());
+			if (access == null)
+				return false;
+		}
+
 		boolean retValue = true;		//	assuming exclusive
 		for (int i = 0; i < m_columnAccess.length; i++)
 		{