From 02ce1f3c1f1dca6aa7670945aefaeab50072aa30 Mon Sep 17 00:00:00 2001
From: Carlos Ruiz <carg67@gmail.com>
Date: Sat, 5 Dec 2020 05:42:43 +0100
Subject: [PATCH] IDEMPIERE-4268 Web Services : Read miss cross-tenant check
 (#436)

Two more points found about cross tenant readin in MClient and MUser
---
 .../src/org/compiere/model/MClient.java        | 18 +++++++++++++++---
 .../src/org/compiere/model/MUser.java          | 15 +++++++++++++--
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/org.adempiere.base/src/org/compiere/model/MClient.java b/org.adempiere.base/src/org/compiere/model/MClient.java
index f0e32a804b..a97eb918ce 100644
--- a/org.adempiere.base/src/org/compiere/model/MClient.java
+++ b/org.adempiere.base/src/org/compiere/model/MClient.java
@@ -104,9 +104,21 @@ public class MClient extends X_AD_Client implements ImmutablePOSupport
 	 */
 	public static MClient[] getAll (Properties ctx, String orderBy)
 	{
-		List<MClient> list = new Query(ctx,I_AD_Client.Table_Name,(String)null,(String)null)
-		.setOrderBy(orderBy)
-		.list();
+		List<MClient> list = null;
+		int cid = Env.getAD_Client_ID(Env.getCtx());
+		try {
+			if (cid > 0) {
+				// forced potential cross tenant read - requires System client in context
+				Env.setContext(Env.getCtx(), Env.AD_CLIENT_ID, 0);
+			}
+			list = new Query(ctx,I_AD_Client.Table_Name,(String)null,(String)null)
+					.setOrderBy(orderBy)
+					.list();
+		} finally {
+			if (cid > 0) {
+				Env.setContext(Env.getCtx(), Env.AD_CLIENT_ID, cid);
+			}
+		}
 		for(MClient client:list ){
 			s_cache.put (Integer.valueOf(client.getAD_Client_ID()), client, e -> new MClient(Env.getCtx(), e));
 		}
diff --git a/org.adempiere.base/src/org/compiere/model/MUser.java b/org.adempiere.base/src/org/compiere/model/MUser.java
index a0acf66080..d2b9266189 100644
--- a/org.adempiere.base/src/org/compiere/model/MUser.java
+++ b/org.adempiere.base/src/org/compiere/model/MUser.java
@@ -822,8 +822,19 @@ public class MUser extends X_AD_User implements ImmutablePOSupport
 			pstmt.setInt (3, getAD_User_ID());
 			pstmt.setInt (4, AD_Org_ID);
 			rs = pstmt.executeQuery ();
-			while (rs.next ())
-				list.add (new MRole(Env.getCtx(), rs, get_TrxName()));
+			int cid = Env.getAD_Client_ID(Env.getCtx());
+			try {
+				if (cid > 0) {
+					// forced potential cross tenant read - requires System client in context
+					Env.setContext(Env.getCtx(), Env.AD_CLIENT_ID, 0);
+				}
+				while (rs.next ())
+					list.add (new MRole(Env.getCtx(), rs, get_TrxName()));
+			} finally {
+				if (cid > 0) {
+					Env.setContext(Env.getCtx(), Env.AD_CLIENT_ID, cid);
+				}
+			}
 		}
 		catch (Exception e)
 		{