Added permission check for ProgramExport.groovy and EntitySQLProcesso…

…r.groovy, If user does not have permission don't execute the groovy file (#821)
apache · Jul 10, 2024 · 31d8d7e · 31d8d7e
1 parent 6d9bd03
commit 31d8d7e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy b/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy
@@ -26,6 +26,9 @@ import java.util.Iterator
 import org.apache.ofbiz.entity.*
 import org.apache.ofbiz.entity.model.ModelGroupReader
 
+if (!security.hasPermission('ENTITY_MAINT', userLogin)) {
+    return
+}
 sqlCommand = context.request.getParameter("sqlCommand")
 
 resultMessage = ""

diff --git a/framework/webtools/groovyScripts/entity/ProgramExport.groovy b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
@@ -29,6 +29,9 @@ import org.codehaus.groovy.control.CompilerConfiguration
 import org.codehaus.groovy.control.MultipleCompilationErrorsException
 import org.codehaus.groovy.control.ErrorCollector
 
+if (!security.hasPermission('ENTITY_MAINT', userLogin)) {
+    return
+}
 String groovyProgram = null
 recordValues = []
 errMsgList = []