fixes issue 35397: Check readable clients for child properties using DAL WS
authorCarlos Aristu <carlos.aristu@openbravo.com>
Wed, 01 Mar 2017 18:29:35 +0100
changeset 31571 4fd058dfb0fd
parent 31570 68702618a590
child 31572 d930e8fe2e33
fixes issue 35397: Check readable clients for child properties using DAL WS

Fix for issue #29683 was introducing a security check to avoid showing child properties which belong to a client different from the current client. But this fix was preventing to display some readable objects like master data defined at system level (client 0).

Therefore this security check has been improved and now it is verified if the child property is defined for a client which is readable for the current role.
src/org/openbravo/dal/xml/EntityXMLConverter.java
src/org/openbravo/service/rest/DalWebService.java
--- a/src/org/openbravo/dal/xml/EntityXMLConverter.java	Tue Feb 28 14:56:32 2017 -0500
+++ b/src/org/openbravo/dal/xml/EntityXMLConverter.java	Wed Mar 01 18:29:35 2017 +0100
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2015 Openbravo SLU 
+ * All portions are Copyright (C) 2008-2017 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -37,6 +37,7 @@
 import javax.xml.transform.sax.TransformerHandler;
 import javax.xml.transform.stream.StreamResult;
 
+import org.apache.commons.lang.ArrayUtils;
 import org.apache.log4j.Logger;
 import org.hibernate.ScrollableResults;
 import org.openbravo.base.model.Entity;
@@ -119,6 +120,10 @@
   // only export references which belong to this client
   private Client client;
 
+  // child properties are exported if they are defined for a client whose ID is included in
+  // readableClients (if it has been set)
+  private String[] readableClients;
+
   // if the system attributes (version, timestamp, etc.) are added to
   // to the root element, for testcases it makes sense to not have this
   // to compare previous output results with new output results
@@ -474,7 +479,7 @@
         for (final Object o : childObjects) {
           // embed in the parent
           if (isOptionEmbedChildren()) {
-            if (objectBelongsToCurrentClient((BaseOBObject) o)) {
+            if (objectBelongsToReadableClient((BaseOBObject) o)) {
               final DataSetTable dst = (getDataSet() != null && obObject.getEntity() != null) ? dataSetTablesByEntity
                   .get(obObject.getEntity()) : null;
               if ((excludeAuditInfo != null && excludeAuditInfo)
@@ -588,7 +593,7 @@
 
   protected void addToExportList(BaseOBObject bob) {
     // only export references if belonging to the current client
-    if (!objectBelongsToCurrentClient(bob)) {
+    if (!objectBelongsToReadableClient(bob)) {
       return;
     }
 
@@ -600,12 +605,14 @@
     allToProcessObjects.add(bob);
   }
 
-  private boolean objectBelongsToCurrentClient(BaseOBObject bob) {
-    Client currentClient = getClient();
-    if (currentClient != null && bob instanceof ClientEnabled) {
-      String currentClientId = currentClient.getId();
+  private boolean objectBelongsToReadableClient(BaseOBObject bob) {
+    if (bob instanceof ClientEnabled) {
       String bobClientId = ((ClientEnabled) bob).getClient().getId();
-      return currentClientId.equals(bobClientId);
+      if (readableClients != null) {
+        return ArrayUtils.contains(readableClients, bobClientId);
+      } else if (client != null) {
+        return bobClientId.equals(client.getId());
+      }
     }
     return true;
   }
@@ -794,6 +801,10 @@
     this.client = client;
   }
 
+  public void setReadableClients(String[] readableClients) {
+    this.readableClients = readableClients;
+  }
+
   public boolean isOptionExportAuditInfo() {
     return optionExportAuditInfo;
   }
--- a/src/org/openbravo/service/rest/DalWebService.java	Tue Feb 28 14:56:32 2017 -0500
+++ b/src/org/openbravo/service/rest/DalWebService.java	Wed Mar 01 18:29:35 2017 +0100
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2016 Openbravo SLU
+ * All portions are Copyright (C) 2008-2017 Openbravo SLU
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -206,6 +206,7 @@
               addSelectedPropertiesToEXC(exc, request.getParameter(PARAMETER_PROPERTIES), entity);
             }
             exc.setClient(OBContext.getOBContext().getCurrentClient());
+            exc.setReadableClients(OBContext.getOBContext().getReadableClients());
             exc.setOptionEmbedChildren(true);
             exc.setOptionIncludeChildren(includeChildren);
             exc.setOptionIncludeReferenced(false);
@@ -244,6 +245,7 @@
         final StringWriter sw = new StringWriter();
         final EntityXMLConverter exc = EntityXMLConverter.newInstance();
         exc.setClient(OBContext.getOBContext().getCurrentClient());
+        exc.setReadableClients(OBContext.getOBContext().getReadableClients());
         exc.setOptionEmbedChildren(true);
         exc.setOptionIncludeChildren(includeChildren);
         exc.setOptionIncludeReferenced(false);