TRUNK-6203: Global properties access should be privileged

openmrs · Jun 19, 2024 · f44e5b7 · f44e5b7
1 parent a6dda61
commit f44e5b7
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 7 deletions.
diff --git a/api/src/main/java/org/openmrs/module/referenceapplication/ReferenceApplicationActivator.java b/api/src/main/java/org/openmrs/module/referenceapplication/ReferenceApplicationActivator.java
@@ -50,6 +50,7 @@
 import org.openmrs.scheduler.TaskDefinition;
 import org.openmrs.scheduler.tasks.ProcessHL7InQueueTask;
 import org.openmrs.ui.framework.resource.ResourceFactory;
+import org.openmrs.util.PrivilegeConstants;
 
 /**
  * This class contains the logic that is run every time this module is either started or stopped.
@@ -167,7 +168,13 @@ private void setupRegistrationcoreGlobalProperties(AdministrationService adminis
 	}
 
     private void setGlobalProperty(AdministrationService administrationService, String propertyName, String propertyValue) {
-        GlobalProperty gp = administrationService.getGlobalPropertyObject(propertyName);
+		GlobalProperty gp;
+		try {
+			Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+			gp = administrationService.getGlobalPropertyObject(propertyName);
+		} finally {
+			Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+		}
         if (gp == null) {
             gp = new GlobalProperty(propertyName, propertyValue);
         }

diff --git a/...ain/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java b/...ain/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java
@@ -33,6 +33,7 @@
 import org.openmrs.ui.framework.annotation.SpringBean;
 import org.openmrs.ui.framework.page.PageModel;
 import org.openmrs.ui.framework.page.PageRequest;
+import org.openmrs.util.PrivilegeConstants;
 import org.openmrs.web.user.CurrentUsers;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CookieValue;
@@ -150,10 +151,16 @@ public String get(PageModel model, UiUtils ui, PageRequest pageRequest,
 	}
 
 	private boolean isLocationUserPropertyAvailable(AdministrationService administrationService) {
-		String locationUserPropertyName = administrationService
-		        .getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME);
-
-		return StringUtils.isNotBlank(locationUserPropertyName);
+		try {
+			Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+			String locationUserPropertyName = administrationService
+					.getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME);
+
+			return StringUtils.isNotBlank(locationUserPropertyName);
+		} finally {
+			Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+		}
+
 	}
 
 	private boolean isUrlWithinOpenmrs(PageRequest pageRequest, String redirectUrl) {
@@ -376,8 +383,14 @@ private boolean isSameUser(PageRequest pageRequest, String username) {
 	}
 
 	private List<Location> getUserLocations(AdministrationService adminService, LocationService locationService) {
-		String locationUserPropertyName = adminService
-		        .getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME);
+		String locationUserPropertyName;
+		try {
+			Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+			locationUserPropertyName = adminService.getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME);
+		}
+		finally {
+			Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+		}
 		List<Location> locations = new ArrayList();
 		String locationUuids = Context.getAuthenticatedUser().getUserProperty(locationUserPropertyName);
 		if (StringUtils.isNotBlank(locationUuids)) {