search

cuba-platform / cuba

CUBA Platform is a high level framework for enterprise applications development
https://www.cuba-platform.com
Apache License 2.0
1.34k stars 219 forks source link

DataManager doesn't check entityAttributePermissions #3254

Closed racoy closed 2 years ago

racoy commented 2 years ago

Environment

Description of the bug or enhancement

DataManager doesn't check @EntityAttributeAccess on Entity. For example: StoreEmployeeRole can change importantField(view only in security settings)

    @Role(name = StoreEmployeeRole.NAME)
public class StoreEmployeeRole extends AnnotatedRoleDefinition {
    public final static String NAME = "StoreEmployee";

    @EntityAccess(entityClass = Store.class, operations = {EntityOp.READ, EntityOp.UPDATE})
    @Override
    public EntityPermissionsContainer entityPermissions() {
        return super.entityPermissions();
    }

    @EntityAttributeAccess(entityClass = Store.class, view = "*", modify = "notImportantField")
    @Override
    public EntityAttributePermissionsContainer entityAttributePermissions() {
        return super.entityAttributePermissions();
    }

    @ScreenAccess(screenIds = {"seccollapse_Store.browse", "seccollapse_Store.edit", "network-menu", "application-seccollapse"})
    @Override
    public ScreenPermissionsContainer screenPermissions() {
        return super.screenPermissions();
    }
}

1) Create user with SoreEmployee role 2) Create Store instance 3) click on "just button" in store editor

    @Subscribe("justBtn")
    public void onJustBtnClick(Button.ClickEvent event) {
        storeDc.getItem().setImportantField((long) (Math.random()*1000));
    }

4) click "Ok" for save entity

ER-Exception AR-successful commit

Simple demostrate project here: seccollapse.zip

knstvk commented 2 years ago

DataManager checks entity attribute permissions only if you set cuba.entityAttributePermissionChecking to true. See https://doc.cuba-platform.com/manual-7.2/data_access_checks.html