IDEMPIERE-2999 Attribute, Table Direct and date field support (#320)

Fix security issue about non advanced roles
2020-10-26 14:18:33 +01:00 · 2020-10-26 14:18:33 +01:00 · fa86359570
parent 17dd85d34d
commit fa86359570
4 changed files with 115 additions and 4 deletions
--- a/migration/i7.1z/oracle/202010241637_IDEMPIERE-2999.sql
+++ b/migration/i7.1z/oracle/202010241637_IDEMPIERE-2999.sql
@ -0,0 +1,39 @@
 SET SQLBLANKLINES ON
 SET DEFINE OFF
 -- IDEMPIERE-2999 Attribute, Table Direct and date field support
 -- Oct 24, 2020, 4:33:46 PM CEST
 INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200142,'M_Attribute.AttributeValueType','S','(''@#ShowAdvanced:N@''=''Y'' OR Value!=''R'')',0,0,'Y',TO_DATE('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,'D','5610a6c5-c804-40b6-9fac-40a564ce1996')
 ;
 -- Oct 24, 2020, 4:33:57 PM CEST
 UPDATE AD_Column SET AD_Val_Rule_ID=200142,Updated=TO_DATE('2020-10-24 16:33:57','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662
 ;
 -- Oct 24, 2020, 4:34:06 PM CEST
 INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200143,'M_AttributeUse.M_Attribute_ID','S','(''@#ShowAdvanced:N@''=''Y'' OR AttributeValueType!=''R'')',0,0,'Y',TO_DATE('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,TO_DATE('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,'D','199a88e4-ddcc-4b32-9d92-baadba49ab4e')
 ;
 -- Oct 24, 2020, 4:34:20 PM CEST
 UPDATE AD_Column SET AD_Val_Rule_ID=200143, IsUpdateable='N',Updated=TO_DATE('2020-10-24 16:34:20','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=8527
 ;
 -- Oct 24, 2020, 4:36:04 PM CEST
 UPDATE AD_Column SET ReadOnlyLogic='@AttributeValueType@=R & @#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:04','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662
 ;
 -- Oct 24, 2020, 4:36:09 PM CEST
 UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:09','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212643
 ;
 -- Oct 24, 2020, 4:36:17 PM CEST
 UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:17','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212644
 ;
 -- Oct 24, 2020, 4:36:28 PM CEST
 UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_DATE('2020-10-24 16:36:28','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=214317
 ;
 SELECT register_migration_script('202010241637_IDEMPIERE-2999.sql') FROM dual
 ;
--- a/migration/i7.1z/postgresql/202010241637_IDEMPIERE-2999.sql
+++ b/migration/i7.1z/postgresql/202010241637_IDEMPIERE-2999.sql
@ -0,0 +1,36 @@
 -- IDEMPIERE-2999 Attribute, Table Direct and date field support
 -- Oct 24, 2020, 4:33:46 PM CEST
 INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200142,'M_Attribute.AttributeValueType','S','(''@#ShowAdvanced:N@''=''Y'' OR Value!=''R'')',0,0,'Y',TO_TIMESTAMP('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2020-10-24 16:33:46','YYYY-MM-DD HH24:MI:SS'),100,'D','5610a6c5-c804-40b6-9fac-40a564ce1996')
 ;
 -- Oct 24, 2020, 4:33:57 PM CEST
 UPDATE AD_Column SET AD_Val_Rule_ID=200142,Updated=TO_TIMESTAMP('2020-10-24 16:33:57','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662
 ;
 -- Oct 24, 2020, 4:34:06 PM CEST
 INSERT INTO AD_Val_Rule (AD_Val_Rule_ID,Name,Type,Code,AD_Client_ID,AD_Org_ID,IsActive,Created,CreatedBy,Updated,UpdatedBy,EntityType,AD_Val_Rule_UU) VALUES (200143,'M_AttributeUse.M_Attribute_ID','S','(''@#ShowAdvanced:N@''=''Y'' OR AttributeValueType!=''R'')',0,0,'Y',TO_TIMESTAMP('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,TO_TIMESTAMP('2020-10-24 16:34:06','YYYY-MM-DD HH24:MI:SS'),100,'D','199a88e4-ddcc-4b32-9d92-baadba49ab4e')
 ;
 -- Oct 24, 2020, 4:34:20 PM CEST
 UPDATE AD_Column SET AD_Val_Rule_ID=200143, IsUpdateable='N',Updated=TO_TIMESTAMP('2020-10-24 16:34:20','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=8527
 ;
 -- Oct 24, 2020, 4:36:04 PM CEST
 UPDATE AD_Column SET ReadOnlyLogic='@AttributeValueType@=R & @#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:04','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=12662
 ;
 -- Oct 24, 2020, 4:36:09 PM CEST
 UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:09','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212643
 ;
 -- Oct 24, 2020, 4:36:17 PM CEST
 UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:17','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=212644
 ;
 -- Oct 24, 2020, 4:36:28 PM CEST
 UPDATE AD_Column SET ReadOnlyLogic='@#ShowAdvanced:N@!Y',Updated=TO_TIMESTAMP('2020-10-24 16:36:28','YYYY-MM-DD HH24:MI:SS'),UpdatedBy=100 WHERE AD_Column_ID=214317
 ;
 SELECT register_migration_script('202010241637_IDEMPIERE-2999.sql') FROM dual
 ;
--- a/org.adempiere.base/src/org/compiere/model/MAttribute.java
+++ b/org.adempiere.base/src/org/compiere/model/MAttribute.java
@ -29,6 +29,7 @@ import org.compiere.util.CCache;
 import org.compiere.util.CLogger;
 import org.compiere.util.DB;
 import org.compiere.util.Env;
 import org.compiere.util.Msg;
 import org.idempiere.cache.ImmutablePOSupport;
 /**
@ -42,7 +43,8 @@ public class MAttribute extends X_M_Attribute implements ImmutablePOSupport
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = 7869800574413317999L;
+	private static final long serialVersionUID = 8266487405778526776L;
 	/**	Logger	*/
 	private static CLogger s_log = CLogger.getCLogger (MAttribute.class);
@ -308,6 +310,22 @@ public class MAttribute extends X_M_Attribute implements ImmutablePOSupport
 			.append ("]");
 		return sb.toString ();
 	}	//	toString
 	/**
 	 * 	Before Save
 	 *	@param newRecord new
 	 *	@return true if can be saved
 	 */
 	@Override
 	protected boolean beforeSave(boolean newRecord) {
 		// not advanced roles cannot add or modify reference types
 		if ((newRecord || MAttribute.ATTRIBUTEVALUETYPE_Reference.equals(getAttributeValueType()))
 				&& ! MRole.getDefault().isAccessAdvanced()) {
 			log.saveError("Error", Msg.getMsg(getCtx(), "ActionNotAllowedHere"));
 			return false;
 		}
 		return true;
 	}
 	/**
 	 * 	AfterSave
--- a/org.adempiere.base/src/org/compiere/model/MAttributeUse.java
+++ b/org.adempiere.base/src/org/compiere/model/MAttributeUse.java
@ -20,6 +20,7 @@ import java.sql.ResultSet;
 import java.util.Properties;
 import org.compiere.util.DB;
 import org.compiere.util.Msg;
 /**
@ -33,8 +34,7 @@ public class MAttributeUse extends X_M_AttributeUse
 	/**
 	 * 
 	 */
-	private static final long serialVersionUID = 3727204159034073907L;
+	private static final long serialVersionUID = -9159120094145438975L;
 	/**
 	 * 	Persistency Constructor
@ -60,7 +60,25 @@ public class MAttributeUse extends X_M_AttributeUse
 		super(ctx, rs, trxName);
 	}	//	MAttributeUse
-	
+	/**
 	 * 	Before Save
 	 *	@param newRecord new
 	 *	@return true if can be saved
 	 */
 	@Override
 	protected boolean beforeSave(boolean newRecord) {
 		if ((newRecord || is_ValueChanged(COLUMNNAME_M_Attribute_ID))
 				&& ! MRole.getDefault().isAccessAdvanced()) {
 			// not advanced roles cannot assign for use a reference attribute
 			MAttribute att = MAttribute.get(getCtx(), getM_Attribute_ID());
 			if (MAttribute.ATTRIBUTEVALUETYPE_Reference.equals(att.getAttributeValueType())) {
 				log.saveError("Error", Msg.getMsg(getCtx(), "ActionNotAllowedHere"));
 				return false;
 			}
 		}
 		return true;
 	}
 	/**
 	 * 	After Save
 	 *	@param newRecord new