Fixed: Add permission checks for SERVICE_MAINT in CoreEvents to enhance security

jacopoc · jacopoc · commit e456b65f894f · 2026-05-10T10:43:09.000+02:00
(cherry picked from commit f05a0c2)
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java
@@ -113,6 +113,12 @@ public static String scheduleService(HttpServletRequest request, HttpServletResp
         Locale locale = UtilHttp.getLocale(request);
         TimeZone timeZone = UtilHttp.getTimeZone(request);
 
+        if (!security.hasPermission("SERVICE_MAINT", userLogin)) {
+            String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.not_authorized_to_call", locale);
+            request.setAttribute("_ERROR_MESSAGE_", errMsg);
+            return "error";
+        }
+
         Map<String, Object> params = UtilHttp.getParameterMap(request);
         // get the schedule parameters
         String jobName = (String) params.remove("JOB_NAME");
@@ -434,11 +440,19 @@ public static Object getObjectFromServicePath(String servicePath, Map<String, ?
      * @return Response code string
      */
     public static String runService(HttpServletRequest request, HttpServletResponse response) {
+        Security security = (Security) request.getAttribute("security");
+        GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
         // get the mode and service name
         String serviceName = request.getParameter("serviceName");
         String mode = request.getParameter("mode");
         Locale locale = UtilHttp.getLocale(request);
 
+        if (!security.hasPermission("SERVICE_MAINT", userLogin)) {
+            String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.not_authorized_to_call", locale);
+            request.setAttribute("_ERROR_MESSAGE_", errMsg);
+            return "error";
+        }
+
         if (UtilValidate.isEmpty(serviceName)) {
             String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.must_specify_service_name", locale);
             request.setAttribute("_ERROR_MESSAGE_", errMsg);
@@ -450,7 +464,6 @@ public static String runService(HttpServletRequest request, HttpServletResponse
         }
 
         // now do a security check
-        Security security = (Security) request.getAttribute("security");
         LocalDispatcher dispatcher = (LocalDispatcher) request.getAttribute("dispatcher");
 
         //lookup the service definition to see if this service is externally available, if not require the SERVICE_INVOKE_ANY permission
