Improved: Added support to allow direct view rendering in override vi…

…ew functionality (OFBIZ-13117) Added allow-direct-view-rendering and direct-view-rendering-with-auth in view-mapping tag, default values will be false. i.e by default now view is allowed to be used as OOTB overridden view functionality. In order to allow the view redirection (override) on all workflows allow-direct-view-rendering must be set to true. If view redirection is allowed and direct-view-rendering-with-auth is set to true then login credentials are necessary to use this functionality. This feature may break some existing flow where overridden view workflow is used Thanks: Deepak Dixit for providing the initial patch
apache · Jun 14, 2024 · 8b1ee1b · 8b1ee1b
1 parent 45afc27
commit 8b1ee1b
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 7 deletions.
diff --git a/applications/content/webapp/content/WEB-INF/controller.xml b/applications/content/webapp/content/WEB-INF/controller.xml
@@ -1993,7 +1993,7 @@ under the License.
     <view-map name="EditWebSitePathAlias" type="screen" page="component://content/widget/WebSiteScreens.xml#EditWebSitePathAlias"/>
     <view-map name="WebSiteContent" type="screen" page="component://content/widget/WebSiteScreens.xml#WebSiteContent"/>
     <view-map name="WebSiteCMS" type="screen" page="component://content/widget/WebSiteScreens.xml#WebSiteCMS"/>
-    <view-map name="WebSiteCMSContent" type="screen" page="component://content/widget/WebSiteScreens.xml#WebSiteCMSContent"/>
+    <view-map name="WebSiteCMSContent" type="screen" page="component://content/widget/WebSiteScreens.xml#WebSiteCMSContent" allow-direct-view-rendering="true"/>
     <view-map name="WebSiteCMSEditor" type="screen" page="component://content/widget/WebSiteScreens.xml#WebSiteCMSEditor"/>
     <view-map name="WebSiteCMSMetaInfo" type="screen" page="component://content/widget/WebSiteScreens.xml#WebSiteCMSMetaInfo"/>
     <view-map name="WebSiteCMSPathAlias" type="screen" page="component://content/widget/WebSiteScreens.xml#WebSiteCMSPathAlias"/>

diff --git a/framework/webapp/dtd/site-conf.xsd b/framework/webapp/dtd/site-conf.xsd
@@ -719,6 +719,25 @@ under the License.
                 </xs:documentation>
             </xs:annotation>
         </xs:attribute>
+        <xs:attribute type="xs:boolean" name="allow-direct-view-rendering" default="false">
+            <xs:annotation>
+                <xs:documentation>
+                    This attribute determines whether direct rendering of the view is allowed when using the override view functionality.
+                    If set to true,
+                    the system permits the view to be rendered directly using the override view functionality.
+                    If false or not specified,
+                    direct rendering is not allowed, and system throws Unknown request exception.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute type="xs:boolean" name="direct-view-rendering-with-auth" default="false">
+            <xs:annotation>
+                <xs:documentation>
+                    If direct-view-rendering-with-auth=true, direct rendering of the view is only allowed with an active login when using the override view functionality.
+                    If direct-view-rendering-with-auth=false, no active login is required.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
         <xs:attribute name="x-frame-options" default="sameorigin">
             <xs:annotation>
                 <xs:documentation>

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java
@@ -573,6 +573,8 @@ public static class ViewMap {
         public String strictTransportSecurity;
         public String description;
         public boolean noCache = false;
+        public boolean allowDirectViewRendering = false;
+        public boolean directViewRenderingWithAuth = false;
 
         public ViewMap(Element viewMapElement) {
             this.name = viewMapElement.getAttribute("name");
@@ -581,6 +583,8 @@ public ViewMap(Element viewMapElement) {
             this.info = viewMapElement.getAttribute("info");
             this.contentType = viewMapElement.getAttribute("content-type");
             this.noCache = "true".equals(viewMapElement.getAttribute("no-cache"));
+            this.allowDirectViewRendering = "true".equals(viewMapElement.getAttribute("allow-direct-view-rendering"));
+            this.directViewRenderingWithAuth = "true".equals(viewMapElement.getAttribute("direct-view-rendering-with-auth"));
             this.encoding = viewMapElement.getAttribute("encoding");
             this.xFrameOption = viewMapElement.getAttribute("x-frame-options");
             this.strictTransportSecurity = viewMapElement.getAttribute("strict-transport-security");

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -194,15 +194,20 @@ public ConfigXMLReader.ControllerConfig getControllerConfig() {
      */
     static Collection<RequestMap> resolveURI(ControllerConfig ccfg, HttpServletRequest req) {
         Map<String, List<RequestMap>> requestMapMap = ccfg.getRequestMapMap();
-        Map<String, ConfigXMLReader.ViewMap> viewMapMap = ccfg.getViewMapMap();
         String defaultRequest = ccfg.getDefaultRequest();
         String path = req.getPathInfo();
         String requestUri = getRequestUri(path);
-        String viewUri = getOverrideViewUri(path);
+        String overrideViewUri = getOverrideViewUri(path);
+        boolean allowDirectViewRendering = false;
         Collection<RequestMap> rmaps;
+        // Ensure that overridden view exists and direct view rendering is allowed.
+        if (UtilValidate.isNotEmpty(overrideViewUri)) {
+            ConfigXMLReader.ViewMap overrideViewMap = ccfg.getViewMapMap().get(overrideViewUri);
+            allowDirectViewRendering = (overrideViewMap != null && overrideViewMap.allowDirectViewRendering);
+        }
         if (requestMapMap.containsKey(requestUri)
                 // Ensure that overridden view exists.
-                && (viewUri == null || viewMapMap.containsKey(viewUri)
+                && (allowDirectViewRendering
                 || ("SOAPService".equals(requestUri) && "wsdl".equalsIgnoreCase(req.getQueryString())))){
             rmaps = requestMapMap.get(requestUri);
         } else if (defaultRequest != null) {
@@ -477,9 +482,14 @@ public void doRequest(HttpServletRequest request, HttpServletResponse response,
         if (Debug.verboseOn()) Debug.logVerbose("[Processing Request]: " + requestMap.uri + showSessionId(request), module);
         request.setAttribute("thisRequestUri", requestMap.uri); // store the actual request URI
 
-
+        boolean directViewRenderingWithAuth = false;
+        // Check if direct view rendering requires authentication.
+        if (UtilValidate.isNotEmpty(overrideViewUri)) {
+            ConfigXMLReader.ViewMap overrideViewMap = ccfg.getViewMapMap().get(overrideViewUri);
+            directViewRenderingWithAuth = (overrideViewMap != null && overrideViewMap.directViewRenderingWithAuth);
+        }
         // Perform security check.
-        if (requestMap.securityAuth) {
+        if (requestMap.securityAuth || directViewRenderingWithAuth) {
             // Invoke the security handler
             // catch exceptions and throw RequestHandlerException if failed.
             if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler]: AuthRequired. Running security check. " + showSessionId(request), module);
@@ -500,6 +510,8 @@ public void doRequest(HttpServletRequest request, HttpServletResponse response,
                 } else {
                     requestMap = ccfg.getRequestMapMap().getFirst("ajaxCheckLogin");
                 }
+                // overrideViewUri needs to be deleted, as there is no authentication
+                overrideViewUri = null;
             }
         } else if (requestUri != null) {
             String[] loginUris = EntityUtilProperties.getPropertyValue("security", "login.uris", delegator).split(",");

diff --git a/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/RequestHandlerTests.java b/framework/webapp/src/test/java/org/apache/ofbiz/webapp/control/RequestHandlerTests.java
@@ -40,6 +40,7 @@
 import org.apache.ofbiz.webapp.control.ConfigXMLReader.ViewMap;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.Mockito;
 import org.w3c.dom.Element;
 
 public class RequestHandlerTests {
@@ -126,10 +127,12 @@ public void resolveURIBasicOverrideView() throws Exception {
             reqMaps.putSingle("foo", foo);
             reqMaps.putSingle("bar", bar);
 
-            viewMaps.put("baz", new ViewMap(dummyElement));
+            //viewMaps.put("baz", new ViewMap(dummyElement));
+            viewMaps.put("baz", Mockito.mock(ViewMap.class)); // Mock the ViewMap
 
             when(req.getPathInfo()).thenReturn("/foo/baz");
             when(ccfg.getDefaultRequest()).thenReturn("bar");
+            when(viewMaps.get("baz").allowDirectViewRendering).thenReturn(true);
             assertThat(RequestHandler.resolveURI(ccfg, req), hasItem(foo));
         }