Fixed: Finetune webtools screen and event permissions

framework/base/config/SafeObjectInputStream.properties

@@ -27,7 +27,7 @@
 #     . don't forget to add new objects in SafeObjectInputStream class too (as default there).
 #     . "foo" and "SerializationInjector" are used in OFBiz tests
 
-allowList=byte\\[\\], foo, SerializationInjector, \\[Z,\\[B,\\[S,\\[I,\\[J,\\[F,\\[D,\\[C, java..*, org.apache.ofbiz..*, org.codehaus.groovy.runtime.GStringImpl, groovy.lang.GString
+allowList=byte\\[\\], foo, SerializationInjector, \\[Z,\\[B,\\[S,\\[I,\\[J,\\[F,\\[D,\\[C, java..*, org.apache.ofbiz..*, org.codehaus.groovy.runtime.GStringImpl, groovy.lang.GString, sun.util.calendar.ZoneInfo
 
 #-- List of strings rejected for serialisation
 #-- The same comments than for allowList apply to denyList

framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java

@@ -68,7 +68,8 @@ public final class SafeObjectInputStream extends ObjectInputStream {
             "org\\.apache\\.ofbiz\\.entity\\.GenericValue",
             "org\\.apache\\.ofbiz\\.entity\\.GenericPK",
             "org\\.codehaus\\.groovy\\.runtime\\.GStringImpl",
-            "groovy\\.lang\\.GString"};
+            "groovy\\.lang\\.GString",
+            "sun\\.util\\.calendar\\.ZoneInfo"};
     private static final String[] DEFAULT_DENYLIST = {"rmi", "<"};
 
     /** The regular expression used to match serialized types. */

framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/CoreEvents.java

@@ -113,6 +113,12 @@ public static String scheduleService(HttpServletRequest request, HttpServletResp
         Locale locale = UtilHttp.getLocale(request);
         TimeZone timeZone = UtilHttp.getTimeZone(request);
 
+        if (!security.hasPermission("SERVICE_MAINT", userLogin)) {
+            String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.not_authorized_to_call", locale);
+            request.setAttribute("_ERROR_MESSAGE_", errMsg);
+            return "error";
+        }
+
         Map<String, Object> params = UtilHttp.getParameterMap(request);
         // get the schedule parameters
         String jobName = (String) params.remove("JOB_NAME");
@@ -434,11 +440,19 @@ public static Object getObjectFromServicePath(String servicePath, Map<String, ?
      * @return Response code string
      */
     public static String runService(HttpServletRequest request, HttpServletResponse response) {
+        Security security = (Security) request.getAttribute("security");
+        GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
         // get the mode and service name
         String serviceName = request.getParameter("serviceName");
         String mode = request.getParameter("mode");
         Locale locale = UtilHttp.getLocale(request);
 
+        if (!security.hasPermission("SERVICE_MAINT", userLogin)) {
+            String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.not_authorized_to_call", locale);
+            request.setAttribute("_ERROR_MESSAGE_", errMsg);
+            return "error";
+        }
+
         if (UtilValidate.isEmpty(serviceName)) {
             String errMsg = UtilProperties.getMessage(ERR_RESOURCE, "coreEvents.must_specify_service_name", locale);
             request.setAttribute("_ERROR_MESSAGE_", errMsg);
@@ -450,7 +464,6 @@ public static String runService(HttpServletRequest request, HttpServletResponse
         }
 
         // now do a security check
-        Security security = (Security) request.getAttribute("security");
         LocalDispatcher dispatcher = (LocalDispatcher) request.getAttribute("dispatcher");
 
         //lookup the service definition to see if this service is externally available, if not require the SERVICE_INVOKE_ANY permission

framework/webtools/widget/CommonScreens.xml

@@ -153,7 +153,7 @@ under the License.
                     <decorator-section name="pre-body">
                         <section>
                             <condition>
-                                <if-has-permission permission="WEBTOOLS" action="_VIEW"/>
+                                <if-has-permission permission="SERVICE_MAINT"/>
                             </condition>
                             <widgets>
                                 <include-menu name="ServiceTabBar" location="component://webtools/widget/Menus.xml"/>
@@ -164,7 +164,7 @@ under the License.
                         <section>
                             <!-- do check for WEBTOOLS, _VIEW permission -->
                             <condition>
-                                <if-has-permission permission="WEBTOOLS" action="_VIEW"/>
+                                <if-has-permission permission="SERVICE_MAINT"/>
                             </condition>
                             <widgets>
                                 <decorator-section-include name="body"/>
@@ -297,7 +297,7 @@ under the License.
                     <decorator-section name="pre-body">
                         <section>
                             <condition>
-                                <if-has-permission permission="WEBTOOLS" action="_VIEW"/>
+                                <if-has-permission permission="PORTALPAGE_ADMIN"/>
                             </condition>
                             <widgets>
                                 <include-menu name="GeoManagement" location="component://webtools/widget/Menus.xml"/>
@@ -306,9 +306,8 @@ under the License.
                     </decorator-section>
                     <decorator-section name="body">
                         <section>
-                            <!-- do check for WEBTOOLS, _VIEW permission -->
                             <condition>
-                                <if-has-permission permission="WEBTOOLS" action="_VIEW"/>
+                                <if-has-permission permission="PORTALPAGE_ADMIN"/>
                             </condition>
                             <widgets>
                                 <decorator-section-include name="body"/>