fixes issue 35398: Check readable clients for child properties using DAL WS
authorCarlos Aristu <carlos.aristu@openbravo.com>
Thu, 02 Mar 2017 09:22:31 +0100
changeset 31448 c978e345ba22
parent 31447 fee637c87cf3
child 31449 dc07ac3f254c
fixes issue 35398: Check readable clients for child properties using DAL WS

Fix for issue #29683 was introducing a security check to avoid showing child properties which belong to a client different from the current client. But this fix was preventing to display some readable objects like master data defined at system level (client 0).

Therefore this security check has been improved and now it is verified if the child property is defined for a client which is readable for the current role.
src/org/openbravo/dal/xml/EntityXMLConverter.java
src/org/openbravo/service/rest/DalWebService.java
--- a/src/org/openbravo/dal/xml/EntityXMLConverter.java	Tue Feb 28 08:00:23 2017 +0100
+++ b/src/org/openbravo/dal/xml/EntityXMLConverter.java	Thu Mar 02 09:22:31 2017 +0100
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2015 Openbravo SLU 
+ * All portions are Copyright (C) 2008-2017 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -37,6 +37,7 @@
 import javax.xml.transform.sax.TransformerHandler;
 import javax.xml.transform.stream.StreamResult;
 
+import org.apache.commons.lang.ArrayUtils;
 import org.apache.log4j.Logger;
 import org.hibernate.ScrollableResults;
 import org.openbravo.base.model.Entity;
@@ -119,6 +120,10 @@
   // only export references which belong to this client
   private Client client;
 
+  // child properties are exported if they are defined for a client whose ID is included in
+  // readableClients (if it has been set)
+  private String[] readableClients;
+
   // if the system attributes (version, timestamp, etc.) are added to
   // to the root element, for testcases it makes sense to not have this
   // to compare previous output results with new output results
@@ -474,7 +479,7 @@
         for (final Object o : childObjects) {
           // embed in the parent
           if (isOptionEmbedChildren()) {
-            if (objectBelongsToCurrentClient((BaseOBObject) o)) {
+            if (objectBelongsToReadableClient((BaseOBObject) o)) {
               final DataSetTable dst = (getDataSet() != null && obObject.getEntity() != null) ? dataSetTablesByEntity
                   .get(obObject.getEntity()) : null;
               if ((excludeAuditInfo != null && excludeAuditInfo)
@@ -588,7 +593,7 @@
 
   protected void addToExportList(BaseOBObject bob) {
     // only export references if belonging to the current client
-    if (!objectBelongsToCurrentClient(bob)) {
+    if (!objectBelongsToReadableClient(bob)) {
       return;
     }
 
@@ -600,12 +605,13 @@
     allToProcessObjects.add(bob);
   }
 
-  private boolean objectBelongsToCurrentClient(BaseOBObject bob) {
-    Client currentClient = getClient();
-    if (currentClient != null && bob instanceof ClientEnabled) {
-      String currentClientId = currentClient.getId();
+  private boolean objectBelongsToReadableClient(BaseOBObject bob) {
+    if (client != null && bob instanceof ClientEnabled) {
       String bobClientId = ((ClientEnabled) bob).getClient().getId();
-      return currentClientId.equals(bobClientId);
+      if (readableClients != null) {
+        return ArrayUtils.contains(readableClients, bobClientId);
+      }
+      return bobClientId.equals(client.getId());
     }
     return true;
   }
@@ -794,6 +800,10 @@
     this.client = client;
   }
 
+  public void setReadableClients(String[] readableClients) {
+    this.readableClients = readableClients;
+  }
+
   public boolean isOptionExportAuditInfo() {
     return optionExportAuditInfo;
   }
--- a/src/org/openbravo/service/rest/DalWebService.java	Tue Feb 28 08:00:23 2017 +0100
+++ b/src/org/openbravo/service/rest/DalWebService.java	Thu Mar 02 09:22:31 2017 +0100
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2016 Openbravo SLU
+ * All portions are Copyright (C) 2008-2017 Openbravo SLU
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -206,6 +206,7 @@
               addSelectedPropertiesToEXC(exc, request.getParameter(PARAMETER_PROPERTIES), entity);
             }
             exc.setClient(OBContext.getOBContext().getCurrentClient());
+            exc.setReadableClients(OBContext.getOBContext().getReadableClients());
             exc.setOptionEmbedChildren(true);
             exc.setOptionIncludeChildren(includeChildren);
             exc.setOptionIncludeReferenced(false);
@@ -244,6 +245,7 @@
         final StringWriter sw = new StringWriter();
         final EntityXMLConverter exc = EntityXMLConverter.newInstance();
         exc.setClient(OBContext.getOBContext().getCurrentClient());
+        exc.setReadableClients(OBContext.getOBContext().getReadableClients());
         exc.setOptionEmbedChildren(true);
         exc.setOptionIncludeChildren(includeChildren);
         exc.setOptionIncludeReferenced(false);