TRUNK-6203: Global properties access should be privileged

openmrs · May 29, 2024 · c75e828 · c75e828
1 parent fcc0ee7
commit c75e828
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/omod-common/src/main/java/org/openmrs/module/webservices/rest/web/RestUtil.java b/omod-common/src/main/java/org/openmrs/module/webservices/rest/web/RestUtil.java
@@ -48,6 +48,7 @@
 import org.openmrs.module.webservices.rest.web.resource.api.SubResource;
 import org.openmrs.module.webservices.validation.ValidationException;
 import org.openmrs.util.OpenmrsClassLoader;
+import org.openmrs.util.PrivilegeConstants;
 import org.springframework.validation.FieldError;
 import org.springframework.validation.ObjectError;
 import org.springframework.web.bind.ServletRequestBindingException;
@@ -210,8 +211,16 @@ public static boolean ipMatches(String ip, List<String> candidateIps) {
 	 * @return the list of IPs
 	 */
 	public static List<String> getAllowedIps() {
-		String allowedIpsProperty = Context.getAdministrationService()
-		        .getGlobalProperty(RestConstants.ALLOWED_IPS_GLOBAL_PROPERTY_NAME, "");
+		String allowedIpsProperty = "";
+		try {
+			Context.addProxyPrivilege("Get Global Properties");
+			allowedIpsProperty = Context.getAdministrationService()
+					.getGlobalProperty(RestConstants.ALLOWED_IPS_GLOBAL_PROPERTY_NAME, "");
+		}
+		finally {
+			Context.removeProxyPrivilege("Get Global Properties");
+		}
+
 
 		if (allowedIpsProperty.isEmpty()) {
 			return Collections.emptyList();