From 1f701bbced22af077503f69f96c9a04d95cf92d1 Mon Sep 17 00:00:00 2001 From: Carlos Ruiz Date: Mon, 10 Jun 2019 15:08:00 +0200 Subject: [PATCH 1/6] IDEMPIERE-3980 Thanks to Alessandro Cordella for reporting --- .../WEB-INF/src/org/adempiere/webui/panel/WAttachment.java | 1 + .../WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java | 2 ++ org.adempiere.ui.zk/WEB-INF/web.xml | 4 ++++ 3 files changed, 7 insertions(+) diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java index c6c69854d6..ae18b97904 100644 --- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java +++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java @@ -482,6 +482,7 @@ public class WAttachment extends Window implements EventListener AMedia media = new AMedia(entry.getName(), null, contentType, entry.getData()); preview.setContent(media); + preview.setClientAttribute("sandbox", ""); preview.setVisible(true); preview.invalidate(); } diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java index 85e3c6fc14..b8ec742919 100644 --- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java +++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java @@ -237,7 +237,9 @@ public class WMediaDialog extends Window implements EventListener AMedia media = createMedia(); preview.setContent(media); + preview.setClientAttribute("sandbox", ""); preview.setVisible(true); + preview.invalidate(); } catch (Exception e) { diff --git a/org.adempiere.ui.zk/WEB-INF/web.xml b/org.adempiere.ui.zk/WEB-INF/web.xml index 15898c060e..3f001c5015 100644 --- a/org.adempiere.ui.zk/WEB-INF/web.xml +++ b/org.adempiere.ui.zk/WEB-INF/web.xml @@ -85,6 +85,10 @@ + + true + true + 60 From 0451bf0b4f6ed22024a25638e57013336044525a Mon Sep 17 00:00:00 2001 From: Carlos Ruiz Date: Mon, 10 Jun 2019 18:19:31 +0200 Subject: [PATCH 2/6] IDEMPIERE-3980 --- org.adempiere.ui.zk/.classpath | 1 + org.adempiere.ui.zk/META-INF/MANIFEST.MF | 3 ++- .../org/adempiere/webui/editor/WHtmlEditor.java | 2 +- .../webui/window/WTextEditorDialog.java | 16 ++++++++++++++-- org.adempiere.ui.zk/build.properties | 1 + org.adempiere.ui.zk/pom.xml | 5 +++++ 6 files changed, 24 insertions(+), 4 deletions(-) diff --git a/org.adempiere.ui.zk/.classpath b/org.adempiere.ui.zk/.classpath index 6a9ce5244c..b58918e146 100644 --- a/org.adempiere.ui.zk/.classpath +++ b/org.adempiere.ui.zk/.classpath @@ -9,5 +9,6 @@ + diff --git a/org.adempiere.ui.zk/META-INF/MANIFEST.MF b/org.adempiere.ui.zk/META-INF/MANIFEST.MF index 6376ff9d1f..3bb82eb2bb 100644 --- a/org.adempiere.ui.zk/META-INF/MANIFEST.MF +++ b/org.adempiere.ui.zk/META-INF/MANIFEST.MF @@ -55,7 +55,8 @@ Import-Package: groovy.transform.stc;version="2.4.7", DynamicImport-Package: action.images Bundle-ClassPath: ., WEB-INF/lib/ckez.jar, - WEB-INF/lib/daisydiff.jar + WEB-INF/lib/daisydiff.jar, + WEB-INF/lib/owasp-java-html-sanitizer.jar Export-Package: fi.jawsy.jawwa.zk.atmosphere, metainfo.zk, org.adempiere.webui, diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java index 4dea40686c..3dc308523f 100644 --- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java +++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java @@ -194,7 +194,7 @@ public class WHtmlEditor extends WEditor implements ContextMenuListener adwindowContent.hideBusyMask(); } if (!dialog.isCancelled()) { - box.setContent(dialog.getText()); + box.setContent(WTextEditorDialog.sanitize(dialog.getText())); String newText = box.getContent(); ValueChangeEvent changeEvent = new ValueChangeEvent(WHtmlEditor.this, WHtmlEditor.this.getColumnName(), oldValue, newText); WHtmlEditor.super.fireValueChange(changeEvent); diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java index 3ee0513e6c..ea62e8ead3 100644 --- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java +++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java @@ -28,6 +28,8 @@ import org.adempiere.webui.component.Window; import org.adempiere.webui.theme.ThemeManager; import org.adempiere.webui.util.ZKUpdateUtil; import org.compiere.util.Language; +import org.owasp.html.PolicyFactory; +import org.owasp.html.Sanitizers; import org.zkforge.ckez.CKeditor; import org.zkoss.zk.au.out.AuScript; import org.zkoss.zk.ui.event.Event; @@ -48,7 +50,7 @@ public class WTextEditorDialog extends Window implements EventListener{ /** * */ - private static final long serialVersionUID = 1188165765430615546L; + private static final long serialVersionUID = -1857623453350849161L; private boolean editable; private int maxSize; @@ -186,7 +188,7 @@ public class WTextEditorDialog extends Window implements EventListener{ } public void onEditorCallback(Event event) { - text = (String) event.getData(); + text = sanitize((String) event.getData()); detach(); } @@ -264,4 +266,14 @@ public class WTextEditorDialog extends Window implements EventListener{ return text; } + public static String sanitize(String untrustedHTML) { + final PolicyFactory policy = Sanitizers.BLOCKS + .and(Sanitizers.FORMATTING) + .and(Sanitizers.IMAGES) + .and(Sanitizers.LINKS) + .and(Sanitizers.STYLES) + .and(Sanitizers.TABLES); + return policy.sanitize(untrustedHTML); + } + } diff --git a/org.adempiere.ui.zk/build.properties b/org.adempiere.ui.zk/build.properties index 8f0c6267a2..aba88e9ea0 100644 --- a/org.adempiere.ui.zk/build.properties +++ b/org.adempiere.ui.zk/build.properties @@ -35,6 +35,7 @@ bin.includes = META-INF/,\ pdf.js/,\ WEB-INF/lib/ckez.jar,\ WEB-INF/lib/daisydiff.jar,\ + WEB-INF/lib/owasp-java-html-sanitizer.jar,\ . src.includes = WEB-INF/tld/,\ WEB-INF/web.xml,\ diff --git a/org.adempiere.ui.zk/pom.xml b/org.adempiere.ui.zk/pom.xml index 9a5c585a2d..0170c5d605 100644 --- a/org.adempiere.ui.zk/pom.xml +++ b/org.adempiere.ui.zk/pom.xml @@ -62,6 +62,11 @@ ckez 4.7.0.0 + + com.googlecode.owasp-java-html-sanitizer + owasp-java-html-sanitizer + 20190503.1 + WEB-INF/lib true From ccf591b89b86438c7d2495206e044107dc63e5ff Mon Sep 17 00:00:00 2001 From: "Redhuan D. Oon" Date: Mon, 10 Jun 2019 18:35:52 +0200 Subject: [PATCH 3/6] IDEMPIERE-3982 MOrderLine.setPrice should not override UnitOfMeasure --- org.adempiere.base/src/org/compiere/model/MOrderLine.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/org.adempiere.base/src/org/compiere/model/MOrderLine.java b/org.adempiere.base/src/org/compiere/model/MOrderLine.java index 04841e5506..fbeeb8c816 100644 --- a/org.adempiere.base/src/org/compiere/model/MOrderLine.java +++ b/org.adempiere.base/src/org/compiere/model/MOrderLine.java @@ -311,7 +311,8 @@ public class MOrderLine extends X_C_OrderLine // Calculate Discount setDiscount(m_productPrice.getDiscount()); // Set UOM - setC_UOM_ID(m_productPrice.getC_UOM_ID()); + if (getC_UOM_ID()==0) + setC_UOM_ID(m_productPrice.getC_UOM_ID()); } // setPrice /** From 05da94ddf19cf0c36569e23431126a2f793f98ac Mon Sep 17 00:00:00 2001 From: michal_zilincar Date: Mon, 3 Jun 2019 18:16:21 +0200 Subject: [PATCH 4/6] IDEMPIERE-3979 Record Access Exlude problem --- .../src/org/compiere/model/GridField.java | 12 ++++++++ .../webui/editor/WTableDirEditor.java | 29 ++++++++++++++----- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/org.adempiere.base/src/org/compiere/model/GridField.java b/org.adempiere.base/src/org/compiere/model/GridField.java index 936a0864b3..6b370054e4 100644 --- a/org.adempiere.base/src/org/compiere/model/GridField.java +++ b/org.adempiere.base/src/org/compiere/model/GridField.java @@ -110,7 +110,10 @@ public class GridField * GridTab.processDependentFields will check this flag to avoid clearing of lookup field value that just have been set. **/ private boolean m_lookupEditorSettingValue = false; + private boolean m_lockedrecord=false; + + /** * Dispose */ @@ -444,6 +447,8 @@ public class GridField { if (isVirtualColumn()) return false; + if (m_lockedrecord) + return false; // Fields always enabled (are usually not updateable) if (m_vo.ColumnName.equals("Posted") || (m_vo.ColumnName.equals("Record_ID") && m_vo.displayType == DisplayType.Button)) // Zoom @@ -2507,6 +2512,13 @@ public class GridField return m_vo.displayType == DisplayType.Button && MColumn.ISTOOLBARBUTTON_Toolbar.equals(m_vo.IsToolbarButton); } + public boolean islockedrecord() { + return m_lockedrecord; + } + + public void setlockedrecord(boolean m_lockedrecord) { + this.m_lockedrecord = m_lockedrecord; + } public int getPA_DashboardContent_ID() { return m_vo.PA_DashboardContent_ID; diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java index 14f0bee057..0bbf789378 100644 --- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java +++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java @@ -44,6 +44,7 @@ import org.compiere.model.Lookup; import org.compiere.model.MBPartnerLocation; import org.compiere.model.MLocation; import org.compiere.model.MLookup; +import org.compiere.model.MRole; import org.compiere.model.MTable; import org.compiere.util.CCache; import org.compiere.util.CLogger; @@ -313,24 +314,38 @@ ContextMenuListener, IZoomableEditor refreshList(); } - //still not in list, reset to zero + //still not in list, reset to zero if (!getComponent().isSelected(value)) { if (value instanceof Integer && gridField != null && gridField.getDisplayType() != DisplayType.ID && (gridTab==null || !gridTab.getTableModel().isImporting())) // for IDs is ok to be out of the list { - getComponent().setValue(null); - if (curValue == null) - curValue = value; - ValueChangeEvent changeEvent = new ValueChangeEvent(this, this.getColumnName(), curValue, null); - super.fireValueChange(changeEvent); - oldValue = null; + //if it is problem with record lock, just keep value (no trigger change) and set field readonly + MRole role = MRole.getDefault(Env.getCtx(), false); + if (role.isRecordAccess(gridTab.getAD_Table_ID() ,(int)value,false)){ + oldValue = value; + setReadWrite(false); + gridField.setlockedrecord(true); + } + else + { + getComponent().setValue(null); + if (curValue == null) + curValue = value; + ValueChangeEvent changeEvent = new ValueChangeEvent(this, this.getColumnName(), curValue, null); + super.fireValueChange(changeEvent); + oldValue = null; + if (gridField!=null) + gridField.setlockedrecord(false); + } } } } else { oldValue = value; + if (gridField!=null) + gridField.setlockedrecord(false); } } else From 6bdfc00408bc8e6a7e0d6750d7f64af1917fa78f Mon Sep 17 00:00:00 2001 From: Carlos Ruiz Date: Mon, 10 Jun 2019 19:22:13 +0200 Subject: [PATCH 5/6] IDEMPIERE-3979 Record Access Exclude problem / peer review --- .../src/org/compiere/model/GridField.java | 17 ++++--- .../webui/editor/WTableDirEditor.java | 47 +++++++++++-------- 2 files changed, 36 insertions(+), 28 deletions(-) diff --git a/org.adempiere.base/src/org/compiere/model/GridField.java b/org.adempiere.base/src/org/compiere/model/GridField.java index 6b370054e4..fe9f8a6160 100644 --- a/org.adempiere.base/src/org/compiere/model/GridField.java +++ b/org.adempiere.base/src/org/compiere/model/GridField.java @@ -83,7 +83,7 @@ public class GridField /** * */ - private static final long serialVersionUID = -1871840570764036802L; + private static final long serialVersionUID = -5923967271000455417L; /** * Field Constructor. @@ -110,10 +110,8 @@ public class GridField * GridTab.processDependentFields will check this flag to avoid clearing of lookup field value that just have been set. **/ private boolean m_lookupEditorSettingValue = false; - private boolean m_lockedrecord=false; + private boolean m_lockedRecord = false; - - /** * Dispose */ @@ -447,7 +445,7 @@ public class GridField { if (isVirtualColumn()) return false; - if (m_lockedrecord) + if (m_lockedRecord) return false; // Fields always enabled (are usually not updateable) if (m_vo.ColumnName.equals("Posted") @@ -2512,13 +2510,14 @@ public class GridField return m_vo.displayType == DisplayType.Button && MColumn.ISTOOLBARBUTTON_Toolbar.equals(m_vo.IsToolbarButton); } - public boolean islockedrecord() { - return m_lockedrecord; + public boolean isLockedRecord() { + return m_lockedRecord; } - public void setlockedrecord(boolean m_lockedrecord) { - this.m_lockedrecord = m_lockedrecord; + public void setLockedRecord(boolean lockedRecord) { + this.m_lockedRecord = lockedRecord; } + public int getPA_DashboardContent_ID() { return m_vo.PA_DashboardContent_ID; diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java index 0bbf789378..338e798d75 100644 --- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java +++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java @@ -42,6 +42,7 @@ import org.compiere.model.GridField; import org.compiere.model.GridTable; import org.compiere.model.Lookup; import org.compiere.model.MBPartnerLocation; +import org.compiere.model.MColumn; import org.compiere.model.MLocation; import org.compiere.model.MLookup; import org.compiere.model.MRole; @@ -314,30 +315,38 @@ ContextMenuListener, IZoomableEditor refreshList(); } - //still not in list, reset to zero + //still not in list, reset to zero if (!getComponent().isSelected(value)) { if (value instanceof Integer && gridField != null && gridField.getDisplayType() != DisplayType.ID && (gridTab==null || !gridTab.getTableModel().isImporting())) // for IDs is ok to be out of the list { - //if it is problem with record lock, just keep value (no trigger change) and set field readonly + //if it is problem with record lock, just keep value (no trigger change) and set field readonly MRole role = MRole.getDefault(Env.getCtx(), false); - if (role.isRecordAccess(gridTab.getAD_Table_ID() ,(int)value,false)){ - oldValue = value; - setReadWrite(false); - gridField.setlockedrecord(true); - } - else - { - getComponent().setValue(null); - if (curValue == null) - curValue = value; - ValueChangeEvent changeEvent = new ValueChangeEvent(this, this.getColumnName(), curValue, null); - super.fireValueChange(changeEvent); - oldValue = null; - if (gridField!=null) - gridField.setlockedrecord(false); - } + MColumn col = MColumn.get(Env.getCtx(), gridField.getAD_Column_ID()); + int refTableID = -1; + if (col.get_ID() > 0) { + String refTable = col.getReferenceTableName(); + MTable table = MTable.get(Env.getCtx(), refTable); + refTableID = table.getAD_Table_ID(); + } + if (refTableID > 0 && ! role.isRecordAccess(refTableID, (int)value, false)) + { + oldValue = value; + setReadWrite(false); + gridField.setLockedRecord(true); + } + else + { + getComponent().setValue(null); + if (curValue == null) + curValue = value; + ValueChangeEvent changeEvent = new ValueChangeEvent(this, this.getColumnName(), curValue, null); + super.fireValueChange(changeEvent); + oldValue = null; + if (gridField!=null) + gridField.setLockedRecord(false); + } } } } @@ -345,7 +354,7 @@ ContextMenuListener, IZoomableEditor { oldValue = value; if (gridField!=null) - gridField.setlockedrecord(false); + gridField.setLockedRecord(false); } } else From e5ff5c09e7a6abba7c2fbf773fe71aa7797bb40b Mon Sep 17 00:00:00 2001 From: Nicolas Micoud Date: Mon, 10 Jun 2019 19:27:25 +0200 Subject: [PATCH 6/6] IDEMPIERE-1108 Some bugs found while testing 2Pack / export the validation rule attached to the field --- .../org/adempiere/pipo2/handler/FieldElementHandler.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java b/org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java index 5650fc14a0..7a33c2340d 100644 --- a/org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java +++ b/org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java @@ -33,6 +33,7 @@ import org.compiere.model.I_AD_Field; import org.compiere.model.I_AD_FieldGroup; import org.compiere.model.I_AD_Reference; import org.compiere.model.I_AD_Tab; +import org.compiere.model.I_AD_Val_Rule; import org.compiere.model.MField; import org.compiere.model.X_AD_Field; import org.compiere.model.X_AD_Package_Imp_Detail; @@ -120,6 +121,12 @@ public class FieldElementHandler extends AbstractElementHandler { ElementHandler handler = packOut.getHandler(I_AD_Reference.Table_Name); handler.packOut(packOut,document,null,m_Field.getAD_Reference_ID()); } + + if (m_Field.getAD_Val_Rule_ID() > 0) + { + ElementHandler handler = packOut.getHandler(I_AD_Val_Rule.Table_Name); + handler.packOut(packOut,document,null,m_Field.getAD_Val_Rule_ID()); + } } catch(Exception e) {