midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-2999 Attribute, Table Direct and date field support (#320) 

Fix security issue about non advanced roles
This commit is contained in:
Carlos Ruiz 2020-10-26 14:18:33 +01:00 committed by GitHub
parent 17dd85d34d
commit fa86359570
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 115 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
migration/i7.1z/oracle/202010241637_IDEMPIERE-2999.sql Normal file
View File

@ -0,0 +1,39 @@
SET SQLBLANKLINES ON
SET DEFINE OFF
-- IDEMPIERE-2999 Attribute, Table Direct and date field support
-- Oct 24, 2020, 4:33:46 PM CEST
INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200142,'M_Attribute.AttributeValueType','S','(''@#ShowAdvanced:N@''=''Y'' OR Value!=''R'')',0,0,'Y',TO_DATE('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,'D','5610a6c5-c804-40b6-9fac-40a564ce1996')
;
-- Oct 24, 2020, 4:33:57 PM CEST
UPDATE AD_Column SET AD_Val_Rule_ID=200142,Updated=TO_DATE('2020-10-24 16:33:57','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662
;
-- Oct 24, 2020, 4:34:06 PM CEST
INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200143,'M_AttributeUse.M_Attribute_ID','S','(''@#ShowAdvanced:N@''=''Y'' OR AttributeValueType!=''R'')',0,0,'Y',TO_DATE('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,'D','199a88e4-ddcc-4b32-9d92-baadba49ab4e')
;
-- Oct 24, 2020, 4:34:20 PM CEST
UPDATE AD_Column SET AD_Val_Rule_ID=200143, IsUpdateable='N',Updated=TO_DATE('2020-10-24 16:34:20','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=8527
;
-- Oct 24, 2020, 4:36:04 PM CEST
UPDATE AD_Column SET ReadOnlyLogic='@AttributeValueType@=R & @#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:04','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662
;
-- Oct 24, 2020, 4:36:09 PM CEST
UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:09','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212643
;
-- Oct 24, 2020, 4:36:17 PM CEST
UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:17','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212644
;
-- Oct 24, 2020, 4:36:28 PM CEST
UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:28','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=214317
;
SELECT register_migration_script('202010241637_IDEMPIERE-2999.sql') FROM dual
;

36
migration/i7.1z/postgresql/202010241637_IDEMPIERE-2999.sql Normal file
View File

@ -0,0 +1,36 @@
-- IDEMPIERE-2999 Attribute, Table Direct and date field support
-- Oct 24, 2020, 4:33:46 PM CEST
INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200142,'M_Attribute.AttributeValueType','S','(''@#ShowAdvanced:N@''=''Y'' OR Value!=''R'')',0,0,'Y',TO_TIMESTAMP('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,'D','5610a6c5-c804-40b6-9fac-40a564ce1996')
;
-- Oct 24, 2020, 4:33:57 PM CEST
UPDATE AD_Column SET AD_Val_Rule_ID=200142,Updated=TO_TIMESTAMP('2020-10-24 16:33:57','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662
;
-- Oct 24, 2020, 4:34:06 PM CEST
INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200143,'M_AttributeUse.M_Attribute_ID','S','(''@#ShowAdvanced:N@''=''Y'' OR AttributeValueType!=''R'')',0,0,'Y',TO_TIMESTAMP('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,'D','199a88e4-ddcc-4b32-9d92-baadba49ab4e')
;
-- Oct 24, 2020, 4:34:20 PM CEST
UPDATE AD_Column SET AD_Val_Rule_ID=200143, IsUpdateable='N',Updated=TO_TIMESTAMP('2020-10-24 16:34:20','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=8527
;
-- Oct 24, 2020, 4:36:04 PM CEST
UPDATE AD_Column SET ReadOnlyLogic='@AttributeValueType@=R & @#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:04','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662
;
-- Oct 24, 2020, 4:36:09 PM CEST
UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:09','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212643
;
-- Oct 24, 2020, 4:36:17 PM CEST
UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:17','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212644
;
-- Oct 24, 2020, 4:36:28 PM CEST
UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:28','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=214317
;
SELECT register_migration_script('202010241637_IDEMPIERE-2999.sql') FROM dual
;

20
org.adempiere.base/src/org/compiere/model/MAttribute.java
View File

@ -29,6 +29,7 @@ import org.compiere.util.CCache;
import org.compiere.util.CLogger;
import org.compiere.util.DB;
import org.compiere.util.Env;
import org.compiere.util.Msg;
import org.idempiere.cache.ImmutablePOSupport;
/**
@ -42,7 +43,8 @@ public class MAttribute extends X_M_Attribute implements ImmutablePOSupport
/**
*
*/
private static final long serialVersionUID = 7869800574413317999L;
private static final long serialVersionUID = 8266487405778526776L;
/** Logger */
private static CLogger s_log = CLogger.getCLogger (MAttribute.class);
@ -308,6 +310,22 @@ public class MAttribute extends X_M_Attribute implements ImmutablePOSupport
.append ("]");
return sb.toString ();
} // toString
/**
* Before Save
* @param newRecord new
* @return true if can be saved
*/
@Override
protected boolean beforeSave(boolean newRecord) {
// not advanced roles cannot add or modify reference types
if ((newRecord || MAttribute.ATTRIBUTEVALUETYPE_Reference.equals(getAttributeValueType()))
&& ! MRole.getDefault().isAccessAdvanced()) {
log.saveError("Error", Msg.getMsg(getCtx(), "ActionNotAllowedHere"));
return false;
}
return true;
}
/**
* AfterSave

24
org.adempiere.base/src/org/compiere/model/MAttributeUse.java
View File

@ -20,6 +20,7 @@ import java.sql.ResultSet;
import java.util.Properties;
import org.compiere.util.DB;
import org.compiere.util.Msg;
/**
@ -33,8 +34,7 @@ public class MAttributeUse extends X_M_AttributeUse
/**
*
*/
private static final long serialVersionUID = 3727204159034073907L;
private static final long serialVersionUID = -9159120094145438975L;
/**
* Persistency Constructor
@ -60,7 +60,25 @@ public class MAttributeUse extends X_M_AttributeUse
super(ctx, rs, trxName);
} // MAttributeUse
/**
* Before Save
* @param newRecord new
* @return true if can be saved
*/
@Override
protected boolean beforeSave(boolean newRecord) {
if ((newRecord || is_ValueChanged(COLUMNNAME_M_Attribute_ID))
&& ! MRole.getDefault().isAccessAdvanced()) {
// not advanced roles cannot assign for use a reference attribute
MAttribute att = MAttribute.get(getCtx(), getM_Attribute_ID());
if (MAttribute.ATTRIBUTEVALUETYPE_Reference.equals(att.getAttributeValueType())) {
log.saveError("Error", Msg.getMsg(getCtx(), "ActionNotAllowedHere"));
return false;
}
}
return true;
}
/**
* After Save
* @param newRecord new