fixed issue 15874: Permissions to processes are not respected
authorAsier Lostalé <asier.lostale@openbravo.com>
Wed, 09 Feb 2011 17:32:12 +0100
changeset 10480 3cc3d1a740b2
parent 10479 88b76805cac7
child 10481 8191d45f2d75
fixed issue 15874: Permissions to processes are not respected
src-db/database/sourcedata/AD_REF_LIST.xml
src-wad/src/org/openbravo/wad/javasource.javaxml
--- a/src-db/database/sourcedata/AD_REF_LIST.xml	Wed Feb 09 17:31:48 2011 +0100
+++ b/src-db/database/sourcedata/AD_REF_LIST.xml	Wed Feb 09 17:32:12 2011 +0100
@@ -10736,4 +10736,16 @@
 <!--FEAB443F9CF94815B0306F85A245AD40-->  <SEQNO><![CDATA[1]]></SEQNO>
 <!--FEAB443F9CF94815B0306F85A245AD40--></AD_REF_LIST>
 
+<!--FF8081812E0A7E62012E0A8326F7000C--><AD_REF_LIST>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <AD_REF_LIST_ID><![CDATA[FF8081812E0A7E62012E0A8326F7000C]]></AD_REF_LIST_ID>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <AD_ORG_ID><![CDATA[0]]></AD_ORG_ID>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <ISACTIVE><![CDATA[Y]]></ISACTIVE>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <VALUE><![CDATA[SecuredProcess]]></VALUE>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <NAME><![CDATA[Secured Process]]></NAME>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <DESCRIPTION><![CDATA[Generated UI processes called from buttons within tabs can be secured by setting this property to 'Y'. If this property is not  set, they can be executed without giving explicit access by all roles with access to that window.]]></DESCRIPTION>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <AD_REFERENCE_ID><![CDATA[A26BA480E2014707B47257024C3CBFF7]]></AD_REFERENCE_ID>
+<!--FF8081812E0A7E62012E0A8326F7000C-->  <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID>
+<!--FF8081812E0A7E62012E0A8326F7000C--></AD_REF_LIST>
+
 </data>
--- a/src-wad/src/org/openbravo/wad/javasource.javaxml	Wed Feb 09 17:31:48 2011 +0100
+++ b/src-wad/src/org/openbravo/wad/javasource.javaxml	Wed Feb 09 17:32:12 2011 +0100
@@ -12,7 +12,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2001-2010 Openbravo SLU 
+ * All portions are Copyright (C) 2001-2011 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -74,12 +74,25 @@
       ServletException {
     VariablesSecureApp vars = new VariablesSecureApp(request);
     String command = vars.getCommand();
+    
+    boolean securedProcess = false;
     if (command.contains("BUTTON")) {
+      try {
+        securedProcess = "Y".equals(org.openbravo.erpCommon.businessUtility.Preferences
+            .getPreferenceValue("SecuredProcess", true, vars.getClient(), vars.getOrg(), vars
+                .getUser(), vars.getRole(), windowId));
+      } catch (PropertyException e) {
+      }
+    
      <FIELDS_TMP id="sectionActionButtonsService">
       if (command.contains("<FIELD_TMP id="ProcessIDsrv">processId</FIELD_TMP>")) {
         SessionInfo.setProcessType("P");
         SessionInfo.setProcessId("<FIELD_TMP id="ProcessIDsrv">processId</FIELD_TMP>");
         SessionInfo.setModuleId("<FIELD_TMP id="ProcessModulesrv">moduleId</FIELD_TMP>");
+        if (securedProcess) {
+          classInfo.type = "P";
+          classInfo.id = "<FIELD_TMP id="ProcessIDsrv">processId</FIELD_TMP>";
+        }
       }
      </FIELDS_TMP>
      <FIELDS_TMP id="sectionActionButtonsServiceJava">
@@ -87,9 +100,17 @@
         SessionInfo.setProcessType("P");
         SessionInfo.setProcessId("<FIELD_TMP id="ProcessIDsrvJ">processId</FIELD_TMP>");
         SessionInfo.setModuleId("<FIELD_TMP id="ProcessModulesrvJ">moduleId</FIELD_TMP>");
+        if (securedProcess) {
+          classInfo.type = "P";
+          classInfo.id = "<FIELD_TMP id="ProcessIDsrvJ">processId</FIELD_TMP>";
+        }
       }
      </FIELDS_TMP>
     }
+    if (!securedProcess) {
+      classInfo.type = "W";
+      classInfo.id = windowId;
+    }
     super.service(request, response);
   }
   </PARAMETER_TMP>