From f44e5b77e12832a75da4ed51f17efa3ca21d7b30 Mon Sep 17 00:00:00 2001 From: Wikum Weerakutti Date: Wed, 19 Jun 2024 21:36:38 +0530 Subject: [PATCH] TRUNK-6203: Global properties access should be privileged --- .../ReferenceApplicationActivator.java | 9 ++++++- .../page/controller/LoginPageController.java | 25 ++++++++++++++----- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/api/src/main/java/org/openmrs/module/referenceapplication/ReferenceApplicationActivator.java b/api/src/main/java/org/openmrs/module/referenceapplication/ReferenceApplicationActivator.java index bda25155..c5c5ec12 100644 --- a/api/src/main/java/org/openmrs/module/referenceapplication/ReferenceApplicationActivator.java +++ b/api/src/main/java/org/openmrs/module/referenceapplication/ReferenceApplicationActivator.java @@ -50,6 +50,7 @@ import org.openmrs.scheduler.TaskDefinition; import org.openmrs.scheduler.tasks.ProcessHL7InQueueTask; import org.openmrs.ui.framework.resource.ResourceFactory; +import org.openmrs.util.PrivilegeConstants; /** * This class contains the logic that is run every time this module is either started or stopped. @@ -167,7 +168,13 @@ private void setupRegistrationcoreGlobalProperties(AdministrationService adminis } private void setGlobalProperty(AdministrationService administrationService, String propertyName, String propertyValue) { - GlobalProperty gp = administrationService.getGlobalPropertyObject(propertyName); + GlobalProperty gp; + try { + Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES); + gp = administrationService.getGlobalPropertyObject(propertyName); + } finally { + Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES); + } if (gp == null) { gp = new GlobalProperty(propertyName, propertyValue); } diff --git a/omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java b/omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java index f5ae2a49..ff0726c1 100644 --- a/omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java +++ b/omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/LoginPageController.java @@ -33,6 +33,7 @@ import org.openmrs.ui.framework.annotation.SpringBean; import org.openmrs.ui.framework.page.PageModel; import org.openmrs.ui.framework.page.PageRequest; +import org.openmrs.util.PrivilegeConstants; import org.openmrs.web.user.CurrentUsers; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.CookieValue; @@ -150,10 +151,16 @@ public String get(PageModel model, UiUtils ui, PageRequest pageRequest, } private boolean isLocationUserPropertyAvailable(AdministrationService administrationService) { - String locationUserPropertyName = administrationService - .getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME); - - return StringUtils.isNotBlank(locationUserPropertyName); + try { + Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES); + String locationUserPropertyName = administrationService + .getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME); + + return StringUtils.isNotBlank(locationUserPropertyName); + } finally { + Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES); + } + } private boolean isUrlWithinOpenmrs(PageRequest pageRequest, String redirectUrl) { @@ -376,8 +383,14 @@ private boolean isSameUser(PageRequest pageRequest, String username) { } private List getUserLocations(AdministrationService adminService, LocationService locationService) { - String locationUserPropertyName = adminService - .getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME); + String locationUserPropertyName; + try { + Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES); + locationUserPropertyName = adminService.getGlobalProperty(ReferenceApplicationConstants.LOCATION_USER_PROPERTY_NAME); + } + finally { + Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES); + } List locations = new ArrayList(); String locationUuids = Context.getAuthenticatedUser().getUserProperty(locationUserPropertyName); if (StringUtils.isNotBlank(locationUuids)) {