diff --git a/migration/i6.2/oracle/201903251409_IDEMPIERE-3930.sql b/migration/i6.2/oracle/201903251409_IDEMPIERE-3930.sql new file mode 100644 index 0000000000..64423b59a8 --- /dev/null +++ b/migration/i6.2/oracle/201903251409_IDEMPIERE-3930.sql @@ -0,0 +1,15 @@ +SET SQLBLANKLINES ON +SET DEFINE OFF + +-- IDEMPIERE-3930 Allow permission control for idempiereMonitor and OSGI console +-- Mar 25, 2019, 12:20:18 PM BRT +INSERT INTO AD_Form (AD_Form_ID,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,Name,Description,Classname,AccessLevel,EntityType,IsBetaFunctionality,AD_Form_UU) VALUES (200011,0,0,'Y',TO_DATE('2019-03-25 12:20:17','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2019-03-25 12:20:17','YYYY-MM-DD HH24:MI:SS'),100,'idempiereMonitor','Form to configure access to /idempiereMonitor - do not add to menu','/idempiereMonitor','4','D','N','3406efc3-aa1d-4212-bb5d-6d64ee39cc61') +; + +-- Mar 25, 2019, 12:21:15 PM BRT +INSERT INTO AD_Form (AD_Form_ID,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,Name,Description,Classname,AccessLevel,EntityType,IsBetaFunctionality,AD_Form_UU) VALUES (200012,0,0,'Y',TO_DATE('2019-03-25 12:21:15','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2019-03-25 12:21:15','YYYY-MM-DD HH24:MI:SS'),100,'Apache Felix Web Console','Form to configure access to /osgi/system/console - do not add to menu','/osgi/system/console','4','D','N','bb212a96-e71d-4deb-98eb-799c74247c96') +; + +SELECT register_migration_script('201903251409_IDEMPIERE-3930.sql') FROM dual +; + diff --git a/migration/i6.2/postgresql/201903251409_IDEMPIERE-3930.sql b/migration/i6.2/postgresql/201903251409_IDEMPIERE-3930.sql new file mode 100644 index 0000000000..e33f161ddf --- /dev/null +++ b/migration/i6.2/postgresql/201903251409_IDEMPIERE-3930.sql @@ -0,0 +1,12 @@ +-- IDEMPIERE-3930 Allow permission control for idempiereMonitor and OSGI console +-- Mar 25, 2019, 12:20:18 PM BRT +INSERT INTO AD_Form (AD_Form_ID,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,Name,Description,Classname,AccessLevel,EntityType,IsBetaFunctionality,AD_Form_UU) VALUES (200011,0,0,'Y',TO_TIMESTAMP('2019-03-25 12:20:17','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2019-03-25 12:20:17','YYYY-MM-DD HH24:MI:SS'),100,'idempiereMonitor','Form to configure access to /idempiereMonitor - do not add to menu','/idempiereMonitor','4','D','N','3406efc3-aa1d-4212-bb5d-6d64ee39cc61') +; + +-- Mar 25, 2019, 12:21:15 PM BRT +INSERT INTO AD_Form (AD_Form_ID,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,Name,Description,Classname,AccessLevel,EntityType,IsBetaFunctionality,AD_Form_UU) VALUES (200012,0,0,'Y',TO_TIMESTAMP('2019-03-25 12:21:15','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2019-03-25 12:21:15','YYYY-MM-DD HH24:MI:SS'),100,'Apache Felix Web Console','Form to configure access to /osgi/system/console - do not add to menu','/osgi/system/console','4','D','N','bb212a96-e71d-4deb-98eb-799c74247c96') +; + +SELECT register_migration_script('201903251409_IDEMPIERE-3930.sql') FROM dual +; + diff --git a/org.adempiere.base/src/org/compiere/model/MUser.java b/org.adempiere.base/src/org/compiere/model/MUser.java index 7a32faaddb..b8f64e756f 100644 --- a/org.adempiere.base/src/org/compiere/model/MUser.java +++ b/org.adempiere.base/src/org/compiere/model/MUser.java @@ -58,7 +58,7 @@ public class MUser extends X_AD_User /** * */ - private static final long serialVersionUID = 9027688865361175114L; + private static final long serialVersionUID = 7996468236476384128L; /** * Get active Users of BPartner @@ -768,7 +768,7 @@ public class MUser extends X_AD_User /** * Is User an Administrator? - * @return true id Admin + * @return true if Admin */ public boolean isAdministrator() { @@ -788,6 +788,33 @@ public class MUser extends X_AD_User return m_isAdministrator.booleanValue(); } // isAdministrator + /** + * User has access to URL form? + * @return true if user has access + */ + public boolean hasURLFormAccess(String url) + { + if (Util.isEmpty(url, true)) { + return false; + } + boolean hasAccess = false; + int formId = new Query(getCtx(), MForm.Table_Name, "ClassName=?", get_TrxName()) + .setOnlyActiveRecords(true) + .setParameters(url) + .firstId(); + if (formId > 0) { + for (MRole role : getRoles(0)) + { + Boolean formAccess = role.getFormAccess(formId); + if (formAccess != null && formAccess.booleanValue()) { + hasAccess = true; + break; + } + } + } + return hasAccess; + } // hasURLFormAccess + /** * Has the user Access to BP info and resources * @param BPAccessType access type diff --git a/org.adempiere.server/src/main/servlet/org/compiere/web/AdempiereMonitorFilter.java b/org.adempiere.server/src/main/servlet/org/compiere/web/AdempiereMonitorFilter.java index 348c413e4e..4083bbf933 100644 --- a/org.adempiere.server/src/main/servlet/org/compiere/web/AdempiereMonitorFilter.java +++ b/org.adempiere.server/src/main/servlet/org/compiere/web/AdempiereMonitorFilter.java @@ -150,9 +150,9 @@ public class AdempiereMonitorFilter implements Filter log.warning ("User not found: '" + name); return false; } - if (!user.isAdministrator()) + if (!user.isAdministrator() && !user.hasURLFormAccess("/idempiereMonitor")) { - log.warning ("Not a Sys Admin = " + name); + log.warning ("User doesn't have access to /idempiereMonitor = " + name); return false; } if (log.isLoggable(Level.INFO)) log.info ("Name=" + name); diff --git a/org.idempiere.felix.webconsole/src/org/idempiere/felix/webconsole/SecurityProviderImpl.java b/org.idempiere.felix.webconsole/src/org/idempiere/felix/webconsole/SecurityProviderImpl.java index 1bfedfbecf..938539ed31 100644 --- a/org.idempiere.felix.webconsole/src/org/idempiere/felix/webconsole/SecurityProviderImpl.java +++ b/org.idempiere.felix.webconsole/src/org/idempiere/felix/webconsole/SecurityProviderImpl.java @@ -30,9 +30,9 @@ public class SecurityProviderImpl implements WebConsoleSecurityProvider { log.warning ("User not found: '" + username); return null; } - if (!user.isAdministrator()) + if (!user.isAdministrator() && !user.hasURLFormAccess("/osgi/system/console")) { - log.warning ("Not a Sys Admin = " + username); + log.warning ("User doesn't have access to /osgi/system/console = " + username); return null; } if (log.isLoggable(Level.INFO)) log.info ("Name=" + username);