IDEMPIERE-6048 Check access - based on Heng Sin's PR2485 (#2494)

* IDEMPIERE-6048 Check access - based on Heng Sin's PR2485 * - remove warning * - add a refactor to MChart Column Lookup, to be used by REST * - fix wrong call - suggested by Heng Sin
2024-10-18 12:16:29 +02:00 · 2024-10-18 12:16:29 +02:00 · ecd8563a58
parent 3864166213
commit ecd8563a58
3 changed files with 62 additions and 15 deletions
--- a/org.adempiere.base/src/org/compiere/model/MChart.java
+++ b/org.adempiere.base/src/org/compiere/model/MChart.java
@ -21,18 +21,22 @@
 **********************************************************************/
 package org.compiere.model;

+import java.awt.image.BufferedImage;
 import java.sql.ResultSet;
 import java.util.List;
 import java.util.Properties;

+import org.adempiere.apps.graph.ChartBuilder;
 import org.compiere.util.Env;
+import org.jfree.chart.ChartRenderingInfo;
+import org.jfree.chart.JFreeChart;

 public class MChart extends X_AD_Chart {
 	/**
 	 * generated serial id
 	 */
-	private static final long serialVersionUID = 5720760885280644477L;
-	
+	private static final long serialVersionUID = 6510636131425272970L;
+
 	private int windowNo=0;

    /**
@ -87,4 +91,29 @@ public class MChart extends X_AD_Chart {
 	public int getWindowNo() {
 		return windowNo;
 	}
+
+	/**
+	 * Get chart image
+	 * @param id
+	 * @param width
+	 * @param height
+	 * @return chart image
+	 */
+	public BufferedImage getChartImage(int width, int height) {
+		if (width <= 0)
+			width = getWinHeight();
+		if (width <= 0)
+			width = 100; // default
+		if (height <= 0)
+			height = getWinHeight(); // default to make a square
+		if (height <= 0)
+			height = 100; // default to make a square of 100px
+		ChartBuilder chartBuilder = new ChartBuilder(this);
+		JFreeChart chart = chartBuilder.createChart();
+		chart.getPlot().setForegroundAlpha(0.8f);
+		ChartRenderingInfo info = new ChartRenderingInfo();
+		BufferedImage bi = chart.createBufferedImage(width, height, BufferedImage.TRANSLUCENT, info);
+		return bi;
+	}
+
 }
--- a/org.adempiere.base/src/org/compiere/model/MRole.java
+++ b/org.adempiere.base/src/org/compiere/model/MRole.java
@ -3464,4 +3464,29 @@ public final class MRole extends X_AD_Role implements ImmutablePOSupport
 		return this;
 	}

+	/**
+	 * Check record access through {@link #addAccessSQL(String, String, boolean, boolean)} using<br/>
+	 * either record id or record uuid
+	 * @param table
+	 * @param recordId ignore if uuid is use
+	 * @param uuid null to use recordId
+	 * @param rw true for writable, false for readonly
+	 * @return true if role has access to record
+	 */
+	public boolean checkAccessSQL(MTable table, int recordId, String uuid, boolean rw) {
+		StringBuilder sql = new StringBuilder("SELECT 1 FROM ")
+				.append(table.getTableName())
+				.append(" WHERE ")
+				.append(table.getTableName())
+				.append(".");
+		if (!Util.isEmpty(uuid, true) ) {
+			sql.append(PO.getUUIDColumnName(table.getTableName()))
+				.append("=?");
+			return DB.getSQLValueEx(null, addAccessSQL(sql.toString(), table.getTableName(), true, rw), uuid) == 1;
+		} else {
+			sql.append(table.getKeyColumns()[0])
+				.append("=?");
+			return DB.getSQLValueEx(null, addAccessSQL(sql.toString(), table.getTableName(), true, rw), recordId) == 1;
+		}
+	}
 }	//	MRole
--- a/org.adempiere.report.jasper/src/org/adempiere/report/jasper/ColumnLookup.java
+++ b/org.adempiere.report.jasper/src/org/adempiere/report/jasper/ColumnLookup.java
@ -24,14 +24,12 @@
 **********************************************************************/
 package org.adempiere.report.jasper;

-import java.awt.image.BufferedImage;
 import java.math.BigDecimal;
 import java.util.Date;
 import java.util.function.BiFunction;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

-import org.adempiere.apps.graph.ChartBuilder;
 import org.compiere.model.MAccount;
 import org.compiere.model.MAttachment;
 import org.compiere.model.MAttributeSetInstance;
@ -43,14 +41,13 @@ import org.compiere.model.MLocator;
 import org.compiere.model.MLookup;
 import org.compiere.model.MLookupFactory;
 import org.compiere.model.MLookupInfo;
+import org.compiere.model.MRole;
 import org.compiere.model.MTable;
 import org.compiere.util.DisplayType;
 import org.compiere.util.Env;
 import org.compiere.util.Language;
 import org.compiere.util.Msg;
 import org.compiere.util.Util;
-import org.jfree.chart.ChartRenderingInfo;
-import org.jfree.chart.JFreeChart;

 /**
 * @author hengsin
@ -173,6 +170,9 @@ public class ColumnLookup implements BiFunction<String, Object, Object> {
 				if (table != null) {
 					int recordId = (key instanceof Number) ? ((Number)key).intValue() : -1;
 					String recordUU = (key instanceof String) ? (String)key : null;
+					// check security
+					if (!MRole.getDefault().checkAccessSQL(table, recordId, recordUU, false))
+						return null;
 					MAttachment attachment = MAttachment.get(Env.getCtx(), table.get_ID(), recordId, recordUU, null);
 					if (attachment != null && attachment.get_ID() > 0) {
 						//first, check whether is via index
@ -266,15 +266,8 @@ public class ColumnLookup implements BiFunction<String, Object, Object> {
 	 */
 	private Object getChartImage(int id, int width, int height) {
 		MChart mc = new MChart(Env.getCtx(), id, null);
-		if (mc.get_ID() == id) {
-			ChartBuilder chartBuilder = new ChartBuilder(mc);
-			JFreeChart chart = chartBuilder.createChart();
-			chart.getPlot().setForegroundAlpha(0.8f);
-			ChartRenderingInfo info = new ChartRenderingInfo();
-			BufferedImage bi = chart.createBufferedImage(width, height,
-					BufferedImage.TRANSLUCENT, info);
-			return bi;
-		}
+		if (mc.get_ID() == id)
+			return mc.getChartImage(width, height);
 		return null;
 	}