From 2c97234ddd3d1a4a3d3260dd0bc9b962a18497fb Mon Sep 17 00:00:00 2001
From: Jacopo Cappellato <jacopo.cappellato@gmail.com>
Date: Sun, 10 May 2026 09:28:02 +0200
Subject: [PATCH 1/3] Fixed: Update permission checks in CommonScreens.xml for
 webtools access

---
 framework/webtools/widget/CommonScreens.xml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/framework/webtools/widget/CommonScreens.xml b/framework/webtools/widget/CommonScreens.xml
index 17dd97b31de..c9c49526669 100644
--- a/framework/webtools/widget/CommonScreens.xml
+++ b/framework/webtools/widget/CommonScreens.xml
@@ -153,7 +153,7 @@ under the License.
                     <decorator-section name="pre-body">
                         <section>
                             <condition>
-                                <if-has-permission permission="WEBTOOLS" action="_VIEW"/>
+                                <if-has-permission permission="SERVICE_MAINT"/>
                             </condition>
                             <widgets>
                                 <include-menu name="ServiceTabBar" location="component://webtools/widget/Menus.xml"/>
@@ -164,7 +164,7 @@ under the License.
                         <section>
                             <!-- do check for WEBTOOLS, _VIEW permission -->
                             <condition>
-                                <if-has-permission permission="WEBTOOLS" action="_VIEW"/>
+                                <if-has-permission permission="SERVICE_MAINT"/>
                             </condition>
                             <widgets>
                                 <decorator-section-include name="body"/>
@@ -297,7 +297,7 @@ under the License.
                     <decorator-section name="pre-body">
                         <section>
                             <condition>
-                                <if-has-permission permission="WEBTOOLS" action="_VIEW"/>
+                                <if-has-permission permission="PORTALPAGE_ADMIN"/>
                             </condition>
                             <widgets>
                                 <include-menu name="GeoManagement" location="component://webtools/widget/Menus.xml"/>
@@ -306,9 +306,8 @@ under the License.
                     </decorator-section>
                     <decorator-section name="body">
                         <section>
-                            <!-- do check for WEBTOOLS, _VIEW permission -->
                             <condition>
-                                <if-has-permission permission="WEBTOOLS" action="_VIEW"/>
+                                <if-has-permission permission="PORTALPAGE_ADMIN"/>
                             </condition>
                             <widgets>
                                 <decorator-section-include name="body"/>

From 8dc730273330bd1325df0406ae5876d6c926a81a Mon Sep 17 00:00:00 2001
From: Jacopo Cappellato <jacopo.cappellato@gmail.com>
Date: Sun, 10 May 2026 09:30:45 +0200
Subject: [PATCH 2/3] Fixed: Add sun.util.calendar.ZoneInfo to allowList in
 SafeObjectInputStream configuration

---
 framework/base/config/SafeObjectInputStream.properties         | 2 +-
 .../java/org/apache/ofbiz/base/util/SafeObjectInputStream.java | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/framework/base/config/SafeObjectInputStream.properties b/framework/base/config/SafeObjectInputStream.properties
index 3e6fda2e746..7f759b66f57 100644
--- a/framework/base/config/SafeObjectInputStream.properties
+++ b/framework/base/config/SafeObjectInputStream.properties
@@ -27,7 +27,7 @@
 #     . don't forget to add new objects in SafeObjectInputStream class too (as default there).
 #     . "foo" and "SerializationInjector" are used in OFBiz tests
 
-allowList=byte\\[\\], foo, SerializationInjector, \\[Z,\\[B,\\[S,\\[I,\\[J,\\[F,\\[D,\\[C, java..*, org.apache.ofbiz..*, org.codehaus.groovy.runtime.GStringImpl, groovy.lang.GString
+allowList=byte\\[\\], foo, SerializationInjector, \\[Z,\\[B,\\[S,\\[I,\\[J,\\[F,\\[D,\\[C, java..*, org.apache.ofbiz..*, org.codehaus.groovy.runtime.GStringImpl, groovy.lang.GString, sun.util.calendar.ZoneInfo
 
 #-- List of strings rejected for serialisation
 #-- The same comments than for allowList apply to denyList
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index aedea1a082e..9fe35b58f9d 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -68,7 +68,8 @@ public final class SafeObjectInputStream extends ObjectInputStream {
             "org\\.apache\\.ofbiz\\.entity\\.GenericValue",
             "org\\.apache\\.ofbiz\\.entity\\.GenericPK",
             "org\\.codehaus\\.groovy\\.runtime\\.GStringImpl",
-            "groovy\\.lang\\.GString"};
+            "groovy\\.lang\\.GString",
+            "sun\\.util\\.calendar\\.ZoneInfo"};
     private static final String[] DEFAULT_DENYLIST = {"rmi", "<"};
 
     /** The regular expression used to match serialized types. */

From 44054638ca1be5183948aeedcf26c892bb04a185 Mon Sep 17 00:00:00 2001
From: Jacopo Cappellato <jacopo.cappellato@gmail.com>
Date: Sun, 10 May 2026 09:57:52 +0200
Subject: [PATCH 3/3] Fixed: Add permission checks for SERVICE_MAINT in
 CoreEvents to enhance security

---
 .../org/apache/ofbiz/webapp/event/CoreEvents.java | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java
index acffefec86b..f84beac86d5 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java
@@ -113,6 +113,12 @@ public static String scheduleService(HttpServletRequest request, HttpServletResp
         Locale locale = UtilHttp.getLocale(request);
         TimeZone timeZone = UtilHttp.getTimeZone(request);
 
+        if (!security.hasPermission("SERVICE_MAINT", userLogin)) {
+            String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.not_authorized_to_call", locale);
+            request.setAttribute("_ERROR_MESSAGE_", errMsg);
+            return "error";
+        }
+
         Map<String, Object> params = UtilHttp.getParameterMap(request);
         // get the schedule parameters
         String jobName = (String) params.remove("JOB_NAME");
@@ -434,11 +440,19 @@ public static Object getObjectFromServicePath(String servicePath, Map<String, ?
      * @return Response code string
      */
     public static String runService(HttpServletRequest request, HttpServletResponse response) {
+        Security security = (Security) request.getAttribute("security");
+        GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
         // get the mode and service name
         String serviceName = request.getParameter("serviceName");
         String mode = request.getParameter("mode");
         Locale locale = UtilHttp.getLocale(request);
 
+        if (!security.hasPermission("SERVICE_MAINT", userLogin)) {
+            String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.not_authorized_to_call", locale);
+            request.setAttribute("_ERROR_MESSAGE_", errMsg);
+            return "error";
+        }
+
         if (UtilValidate.isEmpty(serviceName)) {
             String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.must_specify_service_name", locale);
             request.setAttribute("_ERROR_MESSAGE_", errMsg);
@@ -450,7 +464,6 @@ public static String runService(HttpServletRequest request, HttpServletResponse
         }
 
         // now do a security check
-        Security security = (Security) request.getAttribute("security");
         LocalDispatcher dispatcher = (LocalDispatcher) request.getAttribute("dispatcher");
 
         //lookup the service definition to see if this service is externally available, if not require the SERVICE_INVOKE_ANY permission