From b27fef613f7aefe3095c20465f19bda0721cd5e8 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Fri, 6 Aug 2021 11:35:49 -0400 Subject: [PATCH] LP#1450519: remove unauthorized access to library setting history This patch changes the current Library Settings editor so that it doesn't display the setting history for a setting that the user doesn't have the underlying view permission for. It also removes the coustl IDL class [config.org_unit_setting_type_log] from PCRUD. Access to the setting history is now done through a new method, open-ils.actor.org_unit.settings.history.visible.retrieve, which accepts an authtoken and a setting name. If the user has the relevant view permission, setting history entries at all of the OUs that they have the permission at are returned. If the user lacks the permission, an empty array is returned. If the setting has no permission associated with it, all history entries for the setting are returned. The user must have at least STAFF_LOGIN to retrieve any entries at all. To test ------- [1] As an administrator, make some changes to the values of a privileged library setting (such as one of the credit card ones) and an unprivileged one (e.g., lib.info_url). [2] Log in as a staff user without administration privileges and go to the library settings editor. Note that while the current value of privileged settings are not displayed, clicking on the history link displays the full history of the setting. [3] Apply the patch and repeat step 2. [4] This time, history for the privileged setting is not displayed, while history for an unprivileged setting continues to be available. Signed-off-by: Galen Charlton Signed-off-by: Shula Link Signed-off-by: Jason Stephenson --- Open-ILS/examples/fm_IDL.xml | 10 +---- .../perlmods/lib/OpenILS/Application/Actor.pm | 44 ++++++++++++++++++ .../server/admin/org_unit_settings.js | 45 ++++++++++++------- 3 files changed, 73 insertions(+), 26 deletions(-) diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml index 5c462e4ce2..36369fbfb0 100644 --- a/Open-ILS/examples/fm_IDL.xml +++ b/Open-ILS/examples/fm_IDL.xml @@ -13117,7 +13117,7 @@ SELECT usr, - + @@ -13130,14 +13130,6 @@ SELECT usr, - - - - - - - - diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm index 4f0a78258c..72251e4841 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm @@ -247,6 +247,50 @@ sub set_ou_settings { return 1; } +__PACKAGE__->register_method( + method => "fetch_visible_ou_settings_log", + api_name => "open-ils.actor.org_unit.settings.history.visible.retrieve", + signature => { + desc => "Retrieves the log entries for the specified OU setting. " . + "If the setting has a view permission, the results are limited " . + "to entries at the OUs that the user has the view permission. ", + params => [ + {desc => 'Authentication token', type => 'string'}, + {desc => 'Setting name', type => 'string'} + ], + return => {desc => 'List of fieldmapper objects of the log entries, Event on error'} + } +); + +sub fetch_visible_ou_settings_log { + my( $self, $client, $auth, $setting ) = @_; + + my $e = new_editor(authtoken => $auth); + return $e->event unless $e->checkauth; + return $e->die_event unless $e->allowed("STAFF_LOGIN"); + return OpenILS::Event->new('BAD_PARAMS') unless defined($setting); + + my $type = $e->retrieve_config_org_unit_setting_type([ + $setting, + {flesh => 1, flesh_fields => {coust => ['view_perm']}} + ]); + return OpenILS::Event->new('BAD_PARAMS', note => 'setting type not found') + unless $type; + + my $query = { field_name => $setting }; + if ($type->view_perm) { + $query->{org} = $U->user_has_work_perm_at($e, $type->view_perm->code, {descendants => 1}); + if (scalar @{ $query->{org} } == 0) { + # user doesn't have the view permission anywhere, so return nothing + return []; + } + } + + my $results = $e->search_config_org_unit_setting_type_log([$query, {'order_by' => 'date_applied ASC'}]) + or return $e->die_event; + return $results; +} + __PACKAGE__->register_method( method => "user_settings", authoritative => 1, diff --git a/Open-ILS/xul/staff_client/server/admin/org_unit_settings.js b/Open-ILS/xul/staff_client/server/admin/org_unit_settings.js index 85a9ea87c1..b2b6bfd95a 100644 --- a/Open-ILS/xul/staff_client/server/admin/org_unit_settings.js +++ b/Open-ILS/xul/staff_client/server/admin/org_unit_settings.js @@ -536,25 +536,36 @@ function osLaunchHistory(name) { dojo.byId('osHistName').innerHTML = osSettings[name].label; var data = dojo.byId('histTitle').innerHTML; - var thisHist = pcrud.search('coustl', {'field_name':name}); - for(var i in thisHist.reverse()) { - d = thisHist[i].date_applied(); - a = ouNames[thisHist[i].org()]; - o = thisHist[i].original_value(); - if(o) o=o.replace(/\&/g,'&').replace(//g,'>'); - n = thisHist[i].new_value(); - if(n) n=n.replace(/\&/g,'&').replace(//g,'>'); - r = thisHist[i].org(); - // Table is: Date | Org Name | Orig Value | New Value | Revert - data += "" + d + "" + a + "" + o + - "" + n + "" + - ""+dojo.byId('os-revert').innerHTML+""; - } + fieldmapper.standardRequest( + [ 'open-ils.actor', + 'open-ils.actor.org_unit.settings.history.visible.retrieve' ], + { async: true, + params: [authtoken, name], + oncomplete: function(r) { + var thisHist = r.recv().content(); + if(e = openils.Event.parse(thisHist)) + return alert(e); + for(var i in thisHist.reverse()) { + d = thisHist[i].date_applied(); + a = ouNames[thisHist[i].org()]; + o = thisHist[i].original_value(); + if(o) o=o.replace(/\&/g,'&').replace(//g,'>'); + n = thisHist[i].new_value(); + if(n) n=n.replace(/\&/g,'&').replace(//g,'>'); + r = thisHist[i].org(); + // Table is: Date | Org Name | Orig Value | New Value | Revert + data += "" + d + "" + a + "" + o + + "" + n + "" + + ""+dojo.byId('os-revert').innerHTML+""; + } - dojo.byId('historyData').innerHTML = data; + dojo.byId('historyData').innerHTML = data; - showProcessingDialog(false); - osHistDialog.show(); + showProcessingDialog(false); + osHistDialog.show(); + } + } + ); } function showAlert(message, timeout) { -- 2.43.2