midsuit
/
core-jgi
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-4268 Web Services : Read miss cross-tenant check (#415) 

Co-authored-by: Heng Sin Low <hlow@trekglobal.com>
This commit is contained in:
Carlos Ruiz 2020-11-26 13:22:18 +01:00 committed by GitHub
parent 460f7116a2
commit d885aaf4e6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
org.adempiere.base/src/org/compiere/model/PO.java
View File

@ -112,7 +112,7 @@ public abstract class PO
/** /**
* *
*/ */
private static final long serialVersionUID = -1330388218446118451L; private static final long serialVersionUID = -2086165095004944867L;
public static final String LOCAL_TRX_PREFIX = "POSave"; public static final String LOCAL_TRX_PREFIX = "POSave";
@ -208,6 +208,8 @@ public abstract class PO
load(rs); // will not have virtual columns load(rs); // will not have virtual columns
else else
load(ID, trxName); load(ID, trxName);
checkValidClient(false);
} // PO } // PO
/** /**
@ -2078,6 +2080,7 @@ public abstract class PO
checkImmutable(); checkImmutable();
checkValidContext(); checkValidContext();
checkValidClient(true);
CLogger.resetLast(); CLogger.resetLast();
boolean newRecord = is_new(); // save locally as load resets boolean newRecord = is_new(); // save locally as load resets
if (!newRecord && !is_Changed()) if (!newRecord && !is_Changed())
@ -3265,6 +3268,7 @@ public abstract class PO
checkImmutable(); checkImmutable();
checkValidContext(); checkValidContext();
checkValidClient(true);
CLogger.resetLast(); CLogger.resetLast();
if (is_new()) if (is_new())
return true; return true;
@ -4975,4 +4979,20 @@ public abstract class PO
throw new AdempiereException("Context lost"); throw new AdempiereException("Context lost");
} }
private void checkValidClient(boolean writing) {
int envClientID = Env.getAD_Client_ID(getCtx());
// processes running from system client can read/write always
if (envClientID > 0) {
int poClientID = getAD_Client_ID();
if (poClientID != envClientID &&
(poClientID != 0 || writing)) {
log.severe("Table="+get_TableName()+" Record_ID="+get_ID()+" Env.AD_Client_ID="+envClientID+" PO.AD_Client_ID="+poClientID);
String message = "Cross tenant PO request detected from session "
+ Env.getContext(getCtx(), "#AD_Session_ID") + " for table " + get_TableName()
+ " Record_ID=" + get_ID();
throw new AdempiereException(message);
}
}
}
} // PO } // PO

16
org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/RolePanel.java
View File

@ -85,7 +85,7 @@ public class RolePanel extends Window implements EventListener<Event>, Deferrabl
/** /**
* *
*/ */
private static final long serialVersionUID = 4486118071892173802L; private static final long serialVersionUID = -4763398859555693370L;
protected LoginWindow wndLogin; protected LoginWindow wndLogin;
protected Login login; protected Login login;
@ -411,7 +411,8 @@ public class RolePanel extends Window implements EventListener<Event>, Deferrabl
{ {
initDefault=m_userpreference.getProperty( UserPreference.P_ROLE ); initDefault=m_userpreference.getProperty( UserPreference.P_ROLE );
} }
KeyNamePair clientKNPair = new KeyNamePair(Integer.valueOf((String)lstItemClient.getValue()), lstItemClient.getLabel()); int clientId = Integer.valueOf((String)lstItemClient.getValue());
KeyNamePair clientKNPair = new KeyNamePair(clientId, lstItemClient.getLabel());
KeyNamePair roleKNPairs[] = login.getRoles(m_userName, clientKNPair, LoginPanel.ROLE_TYPES_WEBUI); KeyNamePair roleKNPairs[] = login.getRoles(m_userName, clientKNPair, LoginPanel.ROLE_TYPES_WEBUI);
if (roleKNPairs != null && roleKNPairs.length > 0) if (roleKNPairs != null && roleKNPairs.length > 0)
{ {
@ -433,7 +434,16 @@ public class RolePanel extends Window implements EventListener<Event>, Deferrabl
// //
//force reload of default role //force reload of default role
MRole.getDefault(m_ctx, true); int cid = Env.getAD_Client_ID(m_ctx);
try
{
Env.setContext(m_ctx, Env.AD_CLIENT_ID, clientId);
MRole.getDefault(m_ctx, true);
}
finally
{
Env.setContext(m_ctx, Env.AD_CLIENT_ID, cid);
}
// If we have only one role, we can make readonly the combobox // If we have only one role, we can make readonly the combobox
if (lstRole.getItemCount() == 1) if (lstRole.getItemCount() == 1)

15
org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/util/UserPreference.java
View File

@ -119,8 +119,19 @@ public final class UserPreference implements Serializable {
preference = new MUserPreference(Env.getCtx(), preference.getAD_Preference_ID(), null); preference = new MUserPreference(Env.getCtx(), preference.getAD_Preference_ID(), null);
} }
} }
preference.setValue(value);
preference.saveEx(); int cid = Env.getAD_Client_ID(Env.getCtx());
try {
if (preference.getAD_Client_ID() == 0 && cid > 0) {
Env.setContext(Env.getCtx(), Env.AD_CLIENT_ID, 0);
}
preference.setValue(value);
preference.saveEx();
} finally {
if (preference.getAD_Client_ID() == 0 && cid > 0) {
Env.setContext(Env.getCtx(), Env.AD_CLIENT_ID, cid);
}
}
} }
} }
} }