IDEMPIERE-4268 Web Services : Read miss cross-tenant check (#415)

Co-authored-by: Heng Sin Low <hlow@trekglobal.com>
2020-11-26 13:22:18 +01:00 · 2020-11-26 13:22:18 +01:00 · d885aaf4e6
parent 460f7116a2
commit d885aaf4e6
3 changed files with 47 additions and 6 deletions
--- a/org.adempiere.base/src/org/compiere/model/PO.java
+++ b/org.adempiere.base/src/org/compiere/model/PO.java
@ -112,7 +112,7 @@ public abstract class PO
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = -1330388218446118451L;
+	private static final long serialVersionUID = -2086165095004944867L;

 	public static final String LOCAL_TRX_PREFIX = "POSave";

@ -208,6 +208,8 @@ public abstract class PO
 			load(rs);		//	will not have virtual columns
 		else
 			load(ID, trxName);
+
+		checkValidClient(false);
 	}   //  PO

 	/**
@ -2078,6 +2080,7 @@ public abstract class PO
 		checkImmutable();
 		
 		checkValidContext();
+		checkValidClient(true);
 		CLogger.resetLast();
 		boolean newRecord = is_new();	//	save locally as load resets
 		if (!newRecord && !is_Changed())
@ -3265,6 +3268,7 @@ public abstract class PO
 		checkImmutable();
 		
 		checkValidContext();
+		checkValidClient(true);
 		CLogger.resetLast();
 		if (is_new())
 			return true;
@ -4975,4 +4979,20 @@ public abstract class PO
 			throw new AdempiereException("Context lost");
 	}

+	private void checkValidClient(boolean writing) {		
+		int envClientID = Env.getAD_Client_ID(getCtx());
+		// processes running from system client can read/write always
+		if (envClientID > 0) {
+			int poClientID = getAD_Client_ID();
+			if (poClientID != envClientID &&
+					(poClientID != 0 || writing)) {
+				log.severe("Table="+get_TableName()+" Record_ID="+get_ID()+" Env.AD_Client_ID="+envClientID+" PO.AD_Client_ID="+poClientID);
+				String message = "Cross tenant PO request detected from session " 
+						+ Env.getContext(getCtx(), "#AD_Session_ID") + " for table " + get_TableName()
+						+ " Record_ID=" + get_ID();
+				throw new AdempiereException(message);
+			}
+		}
+	}
+
 }   //  PO
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/RolePanel.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/RolePanel.java
@ -85,7 +85,7 @@ public class RolePanel extends Window implements EventListener<Event>, Deferrabl
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = 4486118071892173802L;
+	private static final long serialVersionUID = -4763398859555693370L;

 	protected LoginWindow wndLogin;
 	protected Login login;
@ -411,7 +411,8 @@ public class RolePanel extends Window implements EventListener<Event>, Deferrabl
 			{
 				initDefault=m_userpreference.getProperty( UserPreference.P_ROLE );
 			}
-            KeyNamePair clientKNPair = new KeyNamePair(Integer.valueOf((String)lstItemClient.getValue()), lstItemClient.getLabel());
+			int clientId = Integer.valueOf((String)lstItemClient.getValue());
+            KeyNamePair clientKNPair = new KeyNamePair(clientId, lstItemClient.getLabel());
            KeyNamePair roleKNPairs[] = login.getRoles(m_userName, clientKNPair, LoginPanel.ROLE_TYPES_WEBUI);
            if (roleKNPairs != null && roleKNPairs.length > 0)
            {
@ -433,7 +434,16 @@ public class RolePanel extends Window implements EventListener<Event>, Deferrabl
            //

            //force reload of default role
-            MRole.getDefault(m_ctx, true);
+            int cid = Env.getAD_Client_ID(m_ctx);
+            try 
+            {
+            	Env.setContext(m_ctx, Env.AD_CLIENT_ID, clientId);
+            	MRole.getDefault(m_ctx, true);
+            } 
+            finally
+            {
+            	Env.setContext(m_ctx, Env.AD_CLIENT_ID, cid);
+            }

    		// If we have only one role, we can make readonly the combobox
    		if (lstRole.getItemCount() == 1)
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/util/UserPreference.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/util/UserPreference.java
@ -119,8 +119,19 @@ public final class UserPreference implements Serializable {
 						preference = new MUserPreference(Env.getCtx(), preference.getAD_Preference_ID(), null);
 					}
 				}
-				preference.setValue(value);
-				preference.saveEx();
+				
+				int cid = Env.getAD_Client_ID(Env.getCtx());
+				try {				
+					if (preference.getAD_Client_ID() == 0 && cid > 0) {
+						Env.setContext(Env.getCtx(), Env.AD_CLIENT_ID, 0);
+					}
+					preference.setValue(value);
+					preference.saveEx();
+				} finally {
+					if (preference.getAD_Client_ID() == 0 && cid > 0) {
+						Env.setContext(Env.getCtx(), Env.AD_CLIENT_ID, cid);
+					}
+				}
 			}
 		}
 	}