From fa8635957025f27de4a980361aa6d8fbc78f079d Mon Sep 17 00:00:00 2001 From: Carlos Ruiz Date: Mon, 26 Oct 2020 14:18:33 +0100 Subject: [PATCH] IDEMPIERE-2999 Attribute, Table Direct and date field support (#320) Fix security issue about non advanced roles --- .../oracle/202010241637_IDEMPIERE-2999.sql | 39 +++++++++++++++++++ .../202010241637_IDEMPIERE-2999.sql | 36 +++++++++++++++++ .../src/org/compiere/model/MAttribute.java | 20 +++++++++- .../src/org/compiere/model/MAttributeUse.java | 24 ++++++++++-- 4 files changed, 115 insertions(+), 4 deletions(-) create mode 100644 migration/i7.1z/oracle/202010241637_IDEMPIERE-2999.sql create mode 100644 migration/i7.1z/postgresql/202010241637_IDEMPIERE-2999.sql diff --git a/migration/i7.1z/oracle/202010241637_IDEMPIERE-2999.sql b/migration/i7.1z/oracle/202010241637_IDEMPIERE-2999.sql new file mode 100644 index 0000000000..8cf9a77605 --- /dev/null +++ b/migration/i7.1z/oracle/202010241637_IDEMPIERE-2999.sql @@ -0,0 +1,39 @@ +SET SQLBLANKLINES ON +SET DEFINE OFF + +-- IDEMPIERE-2999 Attribute, Table Direct and date field support +-- Oct 24, 2020, 4:33:46 PM CEST +INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200142,'M_Attribute.AttributeValueType','S','(''@#ShowAdvanced:N@''=''Y'' OR Value!=''R'')',0,0,'Y',TO_DATE('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,'D','5610a6c5-c804-40b6-9fac-40a564ce1996') +; + +-- Oct 24, 2020, 4:33:57 PM CEST +UPDATE AD_Column SET AD_Val_Rule_ID=200142,Updated=TO_DATE('2020-10-24 16:33:57','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662 +; + +-- Oct 24, 2020, 4:34:06 PM CEST +INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200143,'M_AttributeUse.M_Attribute_ID','S','(''@#ShowAdvanced:N@''=''Y'' OR AttributeValueType!=''R'')',0,0,'Y',TO_DATE('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,'D','199a88e4-ddcc-4b32-9d92-baadba49ab4e') +; + +-- Oct 24, 2020, 4:34:20 PM CEST +UPDATE AD_Column SET AD_Val_Rule_ID=200143, IsUpdateable='N',Updated=TO_DATE('2020-10-24 16:34:20','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=8527 +; + +-- Oct 24, 2020, 4:36:04 PM CEST +UPDATE AD_Column SET ReadOnlyLogic='@AttributeValueType@=R & @#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:04','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662 +; + +-- Oct 24, 2020, 4:36:09 PM CEST +UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:09','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212643 +; + +-- Oct 24, 2020, 4:36:17 PM CEST +UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:17','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212644 +; + +-- Oct 24, 2020, 4:36:28 PM CEST +UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:28','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=214317 +; + +SELECT register_migration_script('202010241637_IDEMPIERE-2999.sql') FROM dual +; + diff --git a/migration/i7.1z/postgresql/202010241637_IDEMPIERE-2999.sql b/migration/i7.1z/postgresql/202010241637_IDEMPIERE-2999.sql new file mode 100644 index 0000000000..25dda7dcdf --- /dev/null +++ b/migration/i7.1z/postgresql/202010241637_IDEMPIERE-2999.sql @@ -0,0 +1,36 @@ +-- IDEMPIERE-2999 Attribute, Table Direct and date field support +-- Oct 24, 2020, 4:33:46 PM CEST +INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200142,'M_Attribute.AttributeValueType','S','(''@#ShowAdvanced:N@''=''Y'' OR Value!=''R'')',0,0,'Y',TO_TIMESTAMP('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,'D','5610a6c5-c804-40b6-9fac-40a564ce1996') +; + +-- Oct 24, 2020, 4:33:57 PM CEST +UPDATE AD_Column SET AD_Val_Rule_ID=200142,Updated=TO_TIMESTAMP('2020-10-24 16:33:57','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662 +; + +-- Oct 24, 2020, 4:34:06 PM CEST +INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200143,'M_AttributeUse.M_Attribute_ID','S','(''@#ShowAdvanced:N@''=''Y'' OR AttributeValueType!=''R'')',0,0,'Y',TO_TIMESTAMP('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,'D','199a88e4-ddcc-4b32-9d92-baadba49ab4e') +; + +-- Oct 24, 2020, 4:34:20 PM CEST +UPDATE AD_Column SET AD_Val_Rule_ID=200143, IsUpdateable='N',Updated=TO_TIMESTAMP('2020-10-24 16:34:20','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=8527 +; + +-- Oct 24, 2020, 4:36:04 PM CEST +UPDATE AD_Column SET ReadOnlyLogic='@AttributeValueType@=R & @#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:04','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662 +; + +-- Oct 24, 2020, 4:36:09 PM CEST +UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:09','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212643 +; + +-- Oct 24, 2020, 4:36:17 PM CEST +UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:17','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212644 +; + +-- Oct 24, 2020, 4:36:28 PM CEST +UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:28','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=214317 +; + +SELECT register_migration_script('202010241637_IDEMPIERE-2999.sql') FROM dual +; + diff --git a/org.adempiere.base/src/org/compiere/model/MAttribute.java b/org.adempiere.base/src/org/compiere/model/MAttribute.java index 56e83958a7..aa87160b14 100644 --- a/org.adempiere.base/src/org/compiere/model/MAttribute.java +++ b/org.adempiere.base/src/org/compiere/model/MAttribute.java @@ -29,6 +29,7 @@ import org.compiere.util.CCache; import org.compiere.util.CLogger; import org.compiere.util.DB; import org.compiere.util.Env; +import org.compiere.util.Msg; import org.idempiere.cache.ImmutablePOSupport; /** @@ -42,7 +43,8 @@ public class MAttribute extends X_M_Attribute implements ImmutablePOSupport /** * */ - private static final long serialVersionUID = 7869800574413317999L; + private static final long serialVersionUID = 8266487405778526776L; + /** Logger */ private static CLogger s_log = CLogger.getCLogger (MAttribute.class); @@ -308,6 +310,22 @@ public class MAttribute extends X_M_Attribute implements ImmutablePOSupport .append ("]"); return sb.toString (); } // toString + + /** + * Before Save + * @param newRecord new + * @return true if can be saved + */ + @Override + protected boolean beforeSave(boolean newRecord) { + // not advanced roles cannot add or modify reference types + if ((newRecord || MAttribute.ATTRIBUTEVALUETYPE_Reference.equals(getAttributeValueType())) + && ! MRole.getDefault().isAccessAdvanced()) { + log.saveError("Error", Msg.getMsg(getCtx(), "ActionNotAllowedHere")); + return false; + } + return true; + } /** * AfterSave diff --git a/org.adempiere.base/src/org/compiere/model/MAttributeUse.java b/org.adempiere.base/src/org/compiere/model/MAttributeUse.java index fdaccf875c..95a32997ea 100644 --- a/org.adempiere.base/src/org/compiere/model/MAttributeUse.java +++ b/org.adempiere.base/src/org/compiere/model/MAttributeUse.java @@ -20,6 +20,7 @@ import java.sql.ResultSet; import java.util.Properties; import org.compiere.util.DB; +import org.compiere.util.Msg; /** @@ -33,8 +34,7 @@ public class MAttributeUse extends X_M_AttributeUse /** * */ - private static final long serialVersionUID = 3727204159034073907L; - + private static final long serialVersionUID = -9159120094145438975L; /** * Persistency Constructor @@ -60,7 +60,25 @@ public class MAttributeUse extends X_M_AttributeUse super(ctx, rs, trxName); } // MAttributeUse - + /** + * Before Save + * @param newRecord new + * @return true if can be saved + */ + @Override + protected boolean beforeSave(boolean newRecord) { + if ((newRecord || is_ValueChanged(COLUMNNAME_M_Attribute_ID)) + && ! MRole.getDefault().isAccessAdvanced()) { + // not advanced roles cannot assign for use a reference attribute + MAttribute att = MAttribute.get(getCtx(), getM_Attribute_ID()); + if (MAttribute.ATTRIBUTEVALUETYPE_Reference.equals(att.getAttributeValueType())) { + log.saveError("Error", Msg.getMsg(getCtx(), "ActionNotAllowedHere")); + return false; + } + } + return true; + } + /** * After Save * @param newRecord new