From 4ec7c5e0e2baa7662383edca6703f89daea2cc91 Mon Sep 17 00:00:00 2001
From: Richard Morales <richard.morales@globalqss.com>
Date: Wed, 29 May 2013 17:10:16 -0500
Subject: [PATCH] IDEMPIERE-933 Window Customization Security Hole

---
 .../oracle/201305171202_IDEMPIERE-933.sql      | 13 +++++++++++++
 .../postgresql/201305171202_IDEMPIERE-933.sql  | 14 ++++++++++++++
 .../src/org/compiere/model/MUserDefField.java  | 18 ++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 migration/i1.0b-release/oracle/201305171202_IDEMPIERE-933.sql
 create mode 100644 migration/i1.0b-release/postgresql/201305171202_IDEMPIERE-933.sql

diff --git a/migration/i1.0b-release/oracle/201305171202_IDEMPIERE-933.sql b/migration/i1.0b-release/oracle/201305171202_IDEMPIERE-933.sql
new file mode 100644
index 0000000000..8115b4f250
--- /dev/null
+++ b/migration/i1.0b-release/oracle/201305171202_IDEMPIERE-933.sql
@@ -0,0 +1,13 @@
+-- May 17, 2013 11:59:06 AM COT
+-- IDEMPIERE-933 Window Customization Security Hole
+INSERT INTO AD_Message (MsgType,MsgText,AD_Message_ID,EntityType,AD_Message_UU,Value,IsActive,Updated,CreatedBy,UpdatedBy,AD_Org_ID,Created,AD_Client_ID) VALUES ('I','The reference of an encripted field cannot be changed
+',200175,'D','f09382d4-62bb-48a8-abb9-d71ec5fbc5fe','NotChangeReference','Y',TO_DATE('2013-05-17 11:59:05','YYYY-MM-DD HH24:MI:SS'),100,100,0,TO_DATE('2013-05-17 11:59:05','YYYY-MM-DD HH24:MI:SS'),0)
+;
+
+-- May 17, 2013 11:59:06 AM COT
+-- IDEMPIERE-933 Window Customization Security Hole
+INSERT INTO AD_Message_Trl (AD_Language,AD_Message_ID, MsgText,MsgTip, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy,AD_Message_Trl_UU ) SELECT l.AD_Language,t.AD_Message_ID, t.MsgText,t.MsgTip, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy,Generate_UUID() FROM AD_Language l, AD_Message t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Message_ID=200175 AND NOT EXISTS (SELECT * FROM AD_Message_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Message_ID=t.AD_Message_ID)
+;
+
+SELECT register_migration_script('201305171202_IDEMPIERE-933.sql') FROM dual
+;
diff --git a/migration/i1.0b-release/postgresql/201305171202_IDEMPIERE-933.sql b/migration/i1.0b-release/postgresql/201305171202_IDEMPIERE-933.sql
new file mode 100644
index 0000000000..6d96bcc065
--- /dev/null
+++ b/migration/i1.0b-release/postgresql/201305171202_IDEMPIERE-933.sql
@@ -0,0 +1,14 @@
+-- May 17, 2013 11:59:06 AM COT
+-- IDEMPIERE-933 Window Customization Security Hole
+INSERT INTO AD_Message (MsgType,MsgText,AD_Message_ID,EntityType,AD_Message_UU,Value,IsActive,Updated,CreatedBy,UpdatedBy,AD_Org_ID,Created,AD_Client_ID) VALUES ('I','The reference of an encripted field cannot be changed
+',200175,'D','f09382d4-62bb-48a8-abb9-d71ec5fbc5fe','NotChangeReference','Y',TO_TIMESTAMP('2013-05-17 11:59:05','YYYY-MM-DD HH24:MI:SS'),100,100,0,TO_TIMESTAMP('2013-05-17 11:59:05','YYYY-MM-DD HH24:MI:SS'),0)
+;
+
+-- May 17, 2013 11:59:06 AM COT
+-- IDEMPIERE-933 Window Customization Security Hole
+INSERT INTO AD_Message_Trl (AD_Language,AD_Message_ID, MsgText,MsgTip, IsTranslated,AD_Client_ID,AD_Org_ID,Created,Createdby,Updated,UpdatedBy,AD_Message_Trl_UU ) SELECT l.AD_Language,t.AD_Message_ID, t.MsgText,t.MsgTip, 'N',t.AD_Client_ID,t.AD_Org_ID,t.Created,t.Createdby,t.Updated,t.UpdatedBy,Generate_UUID() FROM AD_Language l, AD_Message t WHERE l.IsActive='Y' AND l.IsSystemLanguage='Y' AND l.IsBaseLanguage='N' AND t.AD_Message_ID=200175 AND NOT EXISTS (SELECT * FROM AD_Message_Trl tt WHERE tt.AD_Language=l.AD_Language AND tt.AD_Message_ID=t.AD_Message_ID)
+;
+
+SELECT register_migration_script('201305171202_IDEMPIERE-933.sql') FROM dual
+;
+
diff --git a/org.adempiere.base/src/org/compiere/model/MUserDefField.java b/org.adempiere.base/src/org/compiere/model/MUserDefField.java
index 6b30e29138..9e4c06d4fe 100644
--- a/org.adempiere.base/src/org/compiere/model/MUserDefField.java
+++ b/org.adempiere.base/src/org/compiere/model/MUserDefField.java
@@ -20,6 +20,7 @@ import java.util.logging.Level;
 
 import org.compiere.util.CLogger;
 import org.compiere.util.DB;
+import org.compiere.util.Msg;
 
 
 /**
@@ -116,5 +117,22 @@ public class MUserDefField extends X_AD_UserDef_Field
 
 		return retValue;
 	}
+	
+	/**
+	 * 	Before Save
+	 *	@param newRecord new
+	 *	@return true
+	 */
+	protected boolean beforeSave (boolean newRecord)
+	{
+		if (is_ValueChanged("AD_Reference_ID")){
+			MField field = new MField(getCtx(), getAD_Field_ID(), get_TrxName());
+			if (field.isEncrypted()){
+				log.saveError("SaveError", Msg.getMsg(getCtx(), "NotChangeReference"));
+				return false;
+			}
+		}
+		return true;
+	}
 		
 }	//	MyModelExample