From ecd8563a5849903b424c6d15828b56ba851cb1b9 Mon Sep 17 00:00:00 2001 From: Carlos Ruiz Date: Fri, 18 Oct 2024 12:16:29 +0200 Subject: [PATCH] IDEMPIERE-6048 Check access - based on Heng Sin's PR2485 (#2494) * IDEMPIERE-6048 Check access - based on Heng Sin's PR2485 * - remove warning * - add a refactor to MChart Column Lookup, to be used by REST * - fix wrong call - suggested by Heng Sin --- .../src/org/compiere/model/MChart.java | 33 +++++++++++++++++-- .../src/org/compiere/model/MRole.java | 25 ++++++++++++++ .../adempiere/report/jasper/ColumnLookup.java | 19 ++++------- 3 files changed, 62 insertions(+), 15 deletions(-) diff --git a/org.adempiere.base/src/org/compiere/model/MChart.java b/org.adempiere.base/src/org/compiere/model/MChart.java index a3e6147a50..14a156247c 100644 --- a/org.adempiere.base/src/org/compiere/model/MChart.java +++ b/org.adempiere.base/src/org/compiere/model/MChart.java @@ -21,18 +21,22 @@ **********************************************************************/ package org.compiere.model; +import java.awt.image.BufferedImage; import java.sql.ResultSet; import java.util.List; import java.util.Properties; +import org.adempiere.apps.graph.ChartBuilder; import org.compiere.util.Env; +import org.jfree.chart.ChartRenderingInfo; +import org.jfree.chart.JFreeChart; public class MChart extends X_AD_Chart { /** * generated serial id */ - private static final long serialVersionUID = 5720760885280644477L; - + private static final long serialVersionUID = 6510636131425272970L; + private int windowNo=0; /** @@ -87,4 +91,29 @@ public class MChart extends X_AD_Chart { public int getWindowNo() { return windowNo; } + + /** + * Get chart image + * @param id + * @param width + * @param height + * @return chart image + */ + public BufferedImage getChartImage(int width, int height) { + if (width <= 0) + width = getWinHeight(); + if (width <= 0) + width = 100; // default + if (height <= 0) + height = getWinHeight(); // default to make a square + if (height <= 0) + height = 100; // default to make a square of 100px + ChartBuilder chartBuilder = new ChartBuilder(this); + JFreeChart chart = chartBuilder.createChart(); + chart.getPlot().setForegroundAlpha(0.8f); + ChartRenderingInfo info = new ChartRenderingInfo(); + BufferedImage bi = chart.createBufferedImage(width, height, BufferedImage.TRANSLUCENT, info); + return bi; + } + } diff --git a/org.adempiere.base/src/org/compiere/model/MRole.java b/org.adempiere.base/src/org/compiere/model/MRole.java index 803c59cff8..5591bc7c85 100644 --- a/org.adempiere.base/src/org/compiere/model/MRole.java +++ b/org.adempiere.base/src/org/compiere/model/MRole.java @@ -3464,4 +3464,29 @@ public final class MRole extends X_AD_Role implements ImmutablePOSupport return this; } + /** + * Check record access through {@link #addAccessSQL(String, String, boolean, boolean)} using
+ * either record id or record uuid + * @param table + * @param recordId ignore if uuid is use + * @param uuid null to use recordId + * @param rw true for writable, false for readonly + * @return true if role has access to record + */ + public boolean checkAccessSQL(MTable table, int recordId, String uuid, boolean rw) { + StringBuilder sql = new StringBuilder("SELECT 1 FROM ") + .append(table.getTableName()) + .append(" WHERE ") + .append(table.getTableName()) + .append("."); + if (!Util.isEmpty(uuid, true) ) { + sql.append(PO.getUUIDColumnName(table.getTableName())) + .append("=?"); + return DB.getSQLValueEx(null, addAccessSQL(sql.toString(), table.getTableName(), true, rw), uuid) == 1; + } else { + sql.append(table.getKeyColumns()[0]) + .append("=?"); + return DB.getSQLValueEx(null, addAccessSQL(sql.toString(), table.getTableName(), true, rw), recordId) == 1; + } + } } // MRole diff --git a/org.adempiere.report.jasper/src/org/adempiere/report/jasper/ColumnLookup.java b/org.adempiere.report.jasper/src/org/adempiere/report/jasper/ColumnLookup.java index 5ea5e9811b..a1056d0bce 100644 --- a/org.adempiere.report.jasper/src/org/adempiere/report/jasper/ColumnLookup.java +++ b/org.adempiere.report.jasper/src/org/adempiere/report/jasper/ColumnLookup.java @@ -24,14 +24,12 @@ **********************************************************************/ package org.adempiere.report.jasper; -import java.awt.image.BufferedImage; import java.math.BigDecimal; import java.util.Date; import java.util.function.BiFunction; import java.util.regex.Matcher; import java.util.regex.Pattern; -import org.adempiere.apps.graph.ChartBuilder; import org.compiere.model.MAccount; import org.compiere.model.MAttachment; import org.compiere.model.MAttributeSetInstance; @@ -43,14 +41,13 @@ import org.compiere.model.MLocator; import org.compiere.model.MLookup; import org.compiere.model.MLookupFactory; import org.compiere.model.MLookupInfo; +import org.compiere.model.MRole; import org.compiere.model.MTable; import org.compiere.util.DisplayType; import org.compiere.util.Env; import org.compiere.util.Language; import org.compiere.util.Msg; import org.compiere.util.Util; -import org.jfree.chart.ChartRenderingInfo; -import org.jfree.chart.JFreeChart; /** * @author hengsin @@ -173,6 +170,9 @@ public class ColumnLookup implements BiFunction { if (table != null) { int recordId = (key instanceof Number) ? ((Number)key).intValue() : -1; String recordUU = (key instanceof String) ? (String)key : null; + // check security + if (!MRole.getDefault().checkAccessSQL(table, recordId, recordUU, false)) + return null; MAttachment attachment = MAttachment.get(Env.getCtx(), table.get_ID(), recordId, recordUU, null); if (attachment != null && attachment.get_ID() > 0) { //first, check whether is via index @@ -266,15 +266,8 @@ public class ColumnLookup implements BiFunction { */ private Object getChartImage(int id, int width, int height) { MChart mc = new MChart(Env.getCtx(), id, null); - if (mc.get_ID() == id) { - ChartBuilder chartBuilder = new ChartBuilder(mc); - JFreeChart chart = chartBuilder.createChart(); - chart.getPlot().setForegroundAlpha(0.8f); - ChartRenderingInfo info = new ChartRenderingInfo(); - BufferedImage bi = chart.createBufferedImage(width, height, - BufferedImage.TRANSLUCENT, info); - return bi; - } + if (mc.get_ID() == id) + return mc.getChartImage(width, height); return null; }