hg merge release-6.2 (merge release6.2 into default)

org.adempiere.base/src/org/compiere/model/GridField.java

@@ -83,7 +83,7 @@ public class GridField
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = -1871840570764036802L;
+	private static final long serialVersionUID = -5923967271000455417L;
 
 	/**
 	 *  Field Constructor.
@@ -110,6 +110,7 @@ public class GridField
 	 * GridTab.processDependentFields will check this flag to avoid clearing of lookup field value that just have been set.
 	 **/ 
 	private boolean m_lookupEditorSettingValue = false;
+	private boolean m_lockedRecord = false;
 	
 	/**
 	 *  Dispose
@@ -444,6 +445,8 @@ public class GridField
 	{
 		if (isVirtualColumn())
 			return false;
+		if (m_lockedRecord)
+			return false;
 		//  Fields always enabled (are usually not updateable)
 		if (m_vo.ColumnName.equals("Posted")
 			|| (m_vo.ColumnName.equals("Record_ID") && m_vo.displayType == DisplayType.Button))	//  Zoom
@@ -2507,6 +2510,14 @@ public class GridField
 		return m_vo.displayType == DisplayType.Button && MColumn.ISTOOLBARBUTTON_Toolbar.equals(m_vo.IsToolbarButton);
 	}
 
+	public boolean isLockedRecord() {
+		return m_lockedRecord;
+	}
+
+	public void setLockedRecord(boolean lockedRecord) {
+		this.m_lockedRecord = lockedRecord;
+	}
+
 	public int getPA_DashboardContent_ID()
 	{
 		return m_vo.PA_DashboardContent_ID;

org.adempiere.base/src/org/compiere/model/MOrderLine.java

@@ -311,7 +311,8 @@ public class MOrderLine extends X_C_OrderLine
 		//	Calculate Discount
 		setDiscount(m_productPrice.getDiscount());
 		//	Set UOM
-		setC_UOM_ID(m_productPrice.getC_UOM_ID());
+		if (getC_UOM_ID()==0)
+			setC_UOM_ID(m_productPrice.getC_UOM_ID());
 	}	//	setPrice
 
 	/**

org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java

@@ -33,6 +33,7 @@ import org.compiere.model.I_AD_Field;
 import org.compiere.model.I_AD_FieldGroup;
 import org.compiere.model.I_AD_Reference;
 import org.compiere.model.I_AD_Tab;
+import org.compiere.model.I_AD_Val_Rule;
 import org.compiere.model.MField;
 import org.compiere.model.X_AD_Field;
 import org.compiere.model.X_AD_Package_Imp_Detail;
@@ -120,6 +121,12 @@ public class FieldElementHandler extends AbstractElementHandler {
 				ElementHandler handler = packOut.getHandler(I_AD_Reference.Table_Name);
 				handler.packOut(packOut,document,null,m_Field.getAD_Reference_ID());
 			}
+
+			if (m_Field.getAD_Val_Rule_ID() > 0)
+			{
+				ElementHandler handler = packOut.getHandler(I_AD_Val_Rule.Table_Name);
+				handler.packOut(packOut,document,null,m_Field.getAD_Val_Rule_ID());
+			}
 		}
 		catch(Exception e)
 		{

org.adempiere.ui.zk/.classpath

@@ -9,5 +9,6 @@
 	<classpathentry kind="src" path="WEB-INF/src/"/>
 	<classpathentry exported="true" kind="lib" path="WEB-INF/lib/ckez.jar"/>
 	<classpathentry exported="true" kind="lib" path="WEB-INF/lib/daisydiff.jar"/>
+	<classpathentry exported="true" kind="lib" path="WEB-INF/lib/owasp-java-html-sanitizer.jar"/>
 	<classpathentry kind="output" path="target/classes"/>
 </classpath>

org.adempiere.ui.zk/META-INF/MANIFEST.MF

@@ -55,7 +55,8 @@ Import-Package: groovy.transform.stc;version="2.4.7",
 DynamicImport-Package: action.images
 Bundle-ClassPath: .,
  WEB-INF/lib/ckez.jar,
- WEB-INF/lib/daisydiff.jar
+ WEB-INF/lib/daisydiff.jar,
+ WEB-INF/lib/owasp-java-html-sanitizer.jar
 Export-Package: fi.jawsy.jawwa.zk.atmosphere,
  metainfo.zk,
  org.adempiere.webui,

org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java

@@ -194,7 +194,7 @@ public class WHtmlEditor extends WEditor implements ContextMenuListener
 					adwindowContent.hideBusyMask();
 				}
 				if (!dialog.isCancelled()) {
-					box.setContent(dialog.getText());
+					box.setContent(WTextEditorDialog.sanitize(dialog.getText()));
 					String newText = box.getContent();
 			        ValueChangeEvent changeEvent = new ValueChangeEvent(WHtmlEditor.this, WHtmlEditor.this.getColumnName(), oldValue, newText);
 			        WHtmlEditor.super.fireValueChange(changeEvent);

org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java

@@ -42,8 +42,10 @@ import org.compiere.model.GridField;
 import org.compiere.model.GridTable;
 import org.compiere.model.Lookup;
 import org.compiere.model.MBPartnerLocation;
+import org.compiere.model.MColumn;
 import org.compiere.model.MLocation;
 import org.compiere.model.MLookup;
+import org.compiere.model.MRole;
 import org.compiere.model.MTable;
 import org.compiere.util.CCache;
 import org.compiere.util.CLogger;
@@ -319,18 +321,40 @@ ContextMenuListener, IZoomableEditor
                 	if (value instanceof Integer && gridField != null && gridField.getDisplayType() != DisplayType.ID && 
                 			(gridTab==null || !gridTab.getTableModel().isImporting())) // for IDs is ok to be out of the list
                 	{
-                		getComponent().setValue(null);
+                		//if it is problem with record lock, just keep value (no trigger change) and set field readonly
-                		if (curValue == null)
+                		MRole role = MRole.getDefault(Env.getCtx(), false);
-                			curValue = value;
+                		MColumn col = MColumn.get(Env.getCtx(), gridField.getAD_Column_ID());
-                		ValueChangeEvent changeEvent = new ValueChangeEvent(this, this.getColumnName(), curValue, null);
+                		int refTableID = -1;
-            	        super.fireValueChange(changeEvent);
+                		if (col.get_ID() > 0) {
-                		oldValue = null;
+                			String refTable = col.getReferenceTableName();
+                			MTable table = MTable.get(Env.getCtx(), refTable);
+                			refTableID = table.getAD_Table_ID();
+                		}
+                		if (refTableID > 0 && ! role.isRecordAccess(refTableID, (int)value, false))
+                		{
+                			oldValue = value;
+                			setReadWrite(false);
+                			gridField.setLockedRecord(true);
+                		}
+                		else
+                		{
+                			getComponent().setValue(null);
+                			if (curValue == null)
+                				curValue = value;
+                			ValueChangeEvent changeEvent = new ValueChangeEvent(this, this.getColumnName(), curValue, null);
+                			super.fireValueChange(changeEvent);
+                			oldValue = null;
+                			if (gridField!=null)
+                				gridField.setLockedRecord(false);
+                		}
                 	}
                 }
             }
             else
             {
             	oldValue = value;
+				if (gridField!=null)
+            		gridField.setLockedRecord(false);
             }
         }
         else

org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java

@@ -482,6 +482,7 @@ public class WAttachment extends Window implements EventListener<Event>
 				AMedia media = new AMedia(entry.getName(), null, contentType, entry.getData());
 
 				preview.setContent(media);
+				preview.setClientAttribute("sandbox", "");
 				preview.setVisible(true);
 				preview.invalidate();
 			}

org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java

@@ -237,7 +237,9 @@ public class WMediaDialog extends Window implements EventListener<Event>
 				AMedia media = createMedia();
 				
 				preview.setContent(media);
+				preview.setClientAttribute("sandbox", "");
 				preview.setVisible(true);
+				preview.invalidate();
 			}
 			catch (Exception e)
 			{

org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java

@@ -28,6 +28,8 @@ import org.adempiere.webui.component.Window;
 import org.adempiere.webui.theme.ThemeManager;
 import org.adempiere.webui.util.ZKUpdateUtil;
 import org.compiere.util.Language;
+import org.owasp.html.PolicyFactory;
+import org.owasp.html.Sanitizers;
 import org.zkforge.ckez.CKeditor;
 import org.zkoss.zk.au.out.AuScript;
 import org.zkoss.zk.ui.event.Event;
@@ -48,7 +50,7 @@ public class WTextEditorDialog extends Window implements EventListener<Event>{
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = 1188165765430615546L;
+	private static final long serialVersionUID = -1857623453350849161L;
 
 	private boolean editable;
 	private int maxSize;
@@ -186,7 +188,7 @@ public class WTextEditorDialog extends Window implements EventListener<Event>{
 	}
 
 	public void onEditorCallback(Event event) {
-		text = (String) event.getData();
+		text = sanitize((String) event.getData());
 		detach();
 	}
 	
@@ -264,4 +266,14 @@ public class WTextEditorDialog extends Window implements EventListener<Event>{
 		return text;
 	}
 
+	public static String sanitize(String untrustedHTML) {
+		final PolicyFactory policy = Sanitizers.BLOCKS
+				.and(Sanitizers.FORMATTING)
+				.and(Sanitizers.IMAGES)
+				.and(Sanitizers.LINKS)
+				.and(Sanitizers.STYLES)
+				.and(Sanitizers.TABLES);
+		return policy.sanitize(untrustedHTML);
+	}
+
 }

org.adempiere.ui.zk/WEB-INF/web.xml

@@ -85,6 +85,10 @@
 	<!-- /////////// -->
 	<!-- Miscellaneous -->
 	<session-config>
+		<cookie-config>
+                        <http-only>true</http-only>
+                        <secure>true</secure>
+                </cookie-config>
 		<session-timeout>60</session-timeout>
 	</session-config>
 

org.adempiere.ui.zk/build.properties

@@ -35,6 +35,7 @@ bin.includes = META-INF/,\
                pdf.js/,\
                WEB-INF/lib/ckez.jar,\
                WEB-INF/lib/daisydiff.jar,\
+               WEB-INF/lib/owasp-java-html-sanitizer.jar,\
                .
 src.includes = WEB-INF/tld/,\
                WEB-INF/web.xml,\

org.adempiere.ui.zk/pom.xml

@@ -62,6 +62,11 @@
 									<artifactId>ckez</artifactId>
 									<version>4.7.0.0</version>
 								</artifactItem>
+								<artifactItem>
+									<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+									<artifactId>owasp-java-html-sanitizer</artifactId>
+									<version>20190503.1</version>
+								</artifactItem>
 							</artifactItems>
 							<outputDirectory>WEB-INF/lib</outputDirectory>
 							<stripVersion>true</stripVersion>