IDEMPIERE-3930 Allow permission control for idempiereMonitor and OSGI console

2019-03-25 15:19:04 -03:00 · 2019-03-25 15:19:04 -03:00 · 2df5088624
parent 66f6dac19d
commit 2df5088624
5 changed files with 60 additions and 6 deletions
--- a/migration/i6.2/oracle/201903251409_IDEMPIERE-3930.sql
+++ b/migration/i6.2/oracle/201903251409_IDEMPIERE-3930.sql
@ -0,0 +1,15 @@
+SET SQLBLANKLINES ON
+SET DEFINE OFF
+
+-- IDEMPIERE-3930 Allow permission control for idempiereMonitor and OSGI console
+-- Mar 25, 2019, 12:20:18 PM BRT
+INSERT INTO AD_Form (AD_Form_ID,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,Name,Description,Classname,AccessLevel,EntityType,IsBetaFunctionality,AD_Form_UU) VALUES (200011,0,0,'Y',TO_DATE('2019-03-25 12:20:17','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2019-03-25 12:20:17','YYYY-MM-DD HH24:MI:SS'),100,'idempiereMonitor','Form to configure access to /idempiereMonitor - do not add to menu','/idempiereMonitor','4','D','N','3406efc3-aa1d-4212-bb5d-6d64ee39cc61')
+;
+
+-- Mar 25, 2019, 12:21:15 PM BRT
+INSERT INTO AD_Form (AD_Form_ID,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,Name,Description,Classname,AccessLevel,EntityType,IsBetaFunctionality,AD_Form_UU) VALUES (200012,0,0,'Y',TO_DATE('2019-03-25 12:21:15','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2019-03-25 12:21:15','YYYY-MM-DD HH24:MI:SS'),100,'Apache Felix Web Console','Form to configure access to /osgi/system/console - do not add to menu','/osgi/system/console','4','D','N','bb212a96-e71d-4deb-98eb-799c74247c96')
+;
+
+SELECT register_migration_script('201903251409_IDEMPIERE-3930.sql') FROM dual
+;
+
--- a/migration/i6.2/postgresql/201903251409_IDEMPIERE-3930.sql
+++ b/migration/i6.2/postgresql/201903251409_IDEMPIERE-3930.sql
@ -0,0 +1,12 @@
+-- IDEMPIERE-3930 Allow permission control for idempiereMonitor and OSGI console
+-- Mar 25, 2019, 12:20:18 PM BRT
+INSERT INTO AD_Form (AD_Form_ID,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,Name,Description,Classname,AccessLevel,EntityType,IsBetaFunctionality,AD_Form_UU) VALUES (200011,0,0,'Y',TO_TIMESTAMP('2019-03-25 12:20:17','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2019-03-25 12:20:17','YYYY-MM-DD HH24:MI:SS'),100,'idempiereMonitor','Form to configure access to /idempiereMonitor - do not add to menu','/idempiereMonitor','4','D','N','3406efc3-aa1d-4212-bb5d-6d64ee39cc61')
+;
+
+-- Mar 25, 2019, 12:21:15 PM BRT
+INSERT INTO AD_Form (AD_Form_ID,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,Name,Description,Classname,AccessLevel,EntityType,IsBetaFunctionality,AD_Form_UU) VALUES (200012,0,0,'Y',TO_TIMESTAMP('2019-03-25 12:21:15','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2019-03-25 12:21:15','YYYY-MM-DD HH24:MI:SS'),100,'Apache Felix Web Console','Form to configure access to /osgi/system/console - do not add to menu','/osgi/system/console','4','D','N','bb212a96-e71d-4deb-98eb-799c74247c96')
+;
+
+SELECT register_migration_script('201903251409_IDEMPIERE-3930.sql') FROM dual
+;
+
--- a/org.adempiere.base/src/org/compiere/model/MUser.java
+++ b/org.adempiere.base/src/org/compiere/model/MUser.java
@ -58,7 +58,7 @@ public class MUser extends X_AD_User
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = 9027688865361175114L;
+	private static final long serialVersionUID = 7996468236476384128L;

 	/**
 	 * Get active Users of BPartner
@ -768,7 +768,7 @@ public class MUser extends X_AD_User
 	
 	/**
 	 * 	Is User an Administrator?
-	 *	@return true id Admin
+	 *	@return true if Admin
 	 */
 	public boolean isAdministrator()
 	{
@ -788,6 +788,33 @@ public class MUser extends X_AD_User
 		return m_isAdministrator.booleanValue();
 	}	//	isAdministrator

+	/**
+	 * 	User has access to URL form?
+	 *	@return true if user has access
+	 */
+	public boolean hasURLFormAccess(String url)
+	{
+		if (Util.isEmpty(url, true)) {
+			return false;
+		}
+		boolean hasAccess = false;
+		int formId = new Query(getCtx(), MForm.Table_Name, "ClassName=?", get_TrxName())
+				.setOnlyActiveRecords(true)
+				.setParameters(url)
+				.firstId();
+		if (formId > 0) {
+			for (MRole role : getRoles(0))
+			{
+				Boolean formAccess = role.getFormAccess(formId);
+				if (formAccess != null && formAccess.booleanValue()) {
+					hasAccess = true;
+					break;
+				}
+			}
+		}
+		return hasAccess;
+	}	//	hasURLFormAccess
+
 	/**
 	 * 	Has the user Access to BP info and resources
 	 *	@param BPAccessType access type
--- a/org.adempiere.server/src/main/servlet/org/compiere/web/AdempiereMonitorFilter.java
+++ b/org.adempiere.server/src/main/servlet/org/compiere/web/AdempiereMonitorFilter.java
@ -150,9 +150,9 @@ public class AdempiereMonitorFilter implements Filter
 				log.warning ("User not found: '" + name);
 				return false;
 			}
-			if (!user.isAdministrator())
+			if (!user.isAdministrator() && !user.hasURLFormAccess("/idempiereMonitor"))
 			{
-				log.warning ("Not a Sys Admin = " + name);
+				log.warning ("User doesn't have access to /idempiereMonitor = " + name);
 				return false;
 			}
 			if (log.isLoggable(Level.INFO)) log.info ("Name=" + name);
--- a/org.idempiere.felix.webconsole/src/org/idempiere/felix/webconsole/SecurityProviderImpl.java
+++ b/org.idempiere.felix.webconsole/src/org/idempiere/felix/webconsole/SecurityProviderImpl.java
@ -30,9 +30,9 @@ public class SecurityProviderImpl implements WebConsoleSecurityProvider {
 			log.warning ("User not found: '" + username);
 			return null;
 		}
-		if (!user.isAdministrator())
+		if (!user.isAdministrator() && !user.hasURLFormAccess("/osgi/system/console"))
 		{
-			log.warning ("Not a Sys Admin = " + username);
+			log.warning ("User doesn't have access to /osgi/system/console = " + username);
 			return null;
 		}
 		if (log.isLoggable(Level.INFO)) log.info ("Name=" + username);