From 43c698da0ef276067e54b78aaf796ca7b1f452fc Mon Sep 17 00:00:00 2001 From: Jacopo Cappellato Date: Fri, 8 May 2026 19:16:58 +0200 Subject: [PATCH] Fixed: Add permission check for runAsSystemUser in CoreEvents (cherry picked from commit c8d9f4868e82a0faab8d6b010d8f20d2454421df) --- .../main/java/org/apache/ofbiz/webapp/event/CoreEvents.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java index be4ebfcc43c..dabc221d8df 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java @@ -125,6 +125,9 @@ public static String scheduleService(HttpServletRequest request, HttpServletResp String serviceCnt = (String) params.remove("SERVICE_COUNT"); String retryCnt = (String) params.remove("SERVICE_MAXRETRY"); String runAsSystemUser = (String) params.remove("SERVICE_RUN_AS_SYSTEM"); + if (!security.hasPermission("SERVICE_RSAS_VIEW", userLogin)) { + runAsSystemUser = "N"; + } // the frequency map Map freqMap = new HashMap<>();