Skip to content

Backported: Enhance password change workflow and Webtools permission checks (pr #1196) #1198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jacopoc merged 2 commits into from
May 12, 2026
Merged

Backported: Enhance password change workflow and Webtools permission checks (pr #1196) #1198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
558735a
Fixed: Implement permission checks for ENTITY_MAINT in EntitySQLProce…
jacopoc May 11, 2026
238b884
Fixed: Remove unnecessary requirePasswordChange parameter from Change…
jacopoc May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -444,10 +444,9 @@ public static String login(HttpServletRequest request, HttpServletResponse respo
if (UtilValidate.isEmpty(password) && UtilValidate.isEmpty(token)) {
unpwErrMsgList.add(UtilProperties.getMessage(RESOURCE, "loginevents.password_was_empty_reenter", UtilHttp.getLocale(request)));
}
boolean requirePasswordChange = "Y".equals(request.getParameter("requirePasswordChange"));
if (!unpwErrMsgList.isEmpty()) {
request.setAttribute("_ERROR_MESSAGE_LIST_", unpwErrMsgList);
return requirePasswordChange ? "requirePasswordChange" : "error";
return "error";
}

boolean setupNewDelegatorEtc = false;
Expand Down Expand Up @@ -535,8 +534,9 @@ public static String login(HttpServletRequest request, HttpServletResponse respo

if (ModelService.RESPOND_SUCCESS.equals(result.get(ModelService.RESPONSE_MESSAGE))) {
GenericValue userLogin = (GenericValue) result.get("userLogin");

if (requirePasswordChange) {
if (userLogin != null && "Y".equals(userLogin.getString("requirePasswordChange"))
&& UtilValidate.isNotEmpty(request.getParameter("newPassword"))
&& UtilValidate.isNotEmpty(request.getParameter("newPasswordVerify"))) {
Map<String, Object> inMap = UtilMisc.<String, Object>toMap(
"login.username", username,
"login.password", password,
Expand All @@ -554,7 +554,7 @@ public static String login(HttpServletRequest request, HttpServletResponse respo
String errMsg = UtilProperties.getMessage(RESOURCE, "loginevents.following_error_occurred_during_login",
messageMap, UtilHttp.getLocale(request));
request.setAttribute("_ERROR_MESSAGE_", errMsg);
return "requirePasswordChange";
return "error";
}
if (ServiceUtil.isError(resultPasswordChange)) {
String errorMessage = (String) resultPasswordChange.get(ModelService.ERROR_MESSAGE);
Expand All @@ -565,7 +565,7 @@ public static String login(HttpServletRequest request, HttpServletResponse respo
request.setAttribute("_ERROR_MESSAGE_", errMsg);
}
request.setAttribute("_ERROR_MESSAGE_LIST_", resultPasswordChange.get(ModelService.ERROR_MESSAGE_LIST));
return "requirePasswordChange";
return "error";
} else {
try {
userLogin.refresh();
Expand All @@ -575,7 +575,7 @@ public static String login(HttpServletRequest request, HttpServletResponse respo
String errMsg = UtilProperties.getMessage(RESOURCE, "loginevents.following_error_occurred_during_login",
messageMap, UtilHttp.getLocale(request));
request.setAttribute("_ERROR_MESSAGE_", errMsg);
return "requirePasswordChange";
return "error";
}
}
}
Expand Down
104 changes: 53 additions & 51 deletions ...ework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/EntitySQLProcessor.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,66 +24,68 @@ import java.sql.ResultSetMetaData
import org.apache.ofbiz.entity.jdbc.SQLProcessor
import org.apache.ofbiz.entity.model.ModelGroupReader

String sqlCommand = context.request.getParameter('sqlCommand') // (see OFBIZ-6567)
if (security.hasPermission('ENTITY_MAINT', session)) {
String sqlCommand = context.request.getParameter('sqlCommand') // (see OFBIZ-6567)

String resultMessage = ''
List<String> columns = []
List<List<Object>> records = []
ModelGroupReader mgr = delegator.getModelGroupReader()
List<Map<String,String>> groups = []
mgr.getGroupNames(delegator.getDelegatorName()).each { String group ->
groups.add(0, ['group': group]) //use for list-option in widget drop-down
}

if (sqlCommand && selGroup) {
try (SQLProcessor du = new SQLProcessor(delegator, delegator.getGroupHelperInfo(selGroup))) {
if (sqlCommand.toUpperCase().startsWith('SELECT')) {
try (ResultSet rs = du.executeQuery(sqlCommand)) {
ResultSetMetaData rsmd = rs.getMetaData()
String resultMessage = ''
List<String> columns = []
List<List<Object>> records = []
ModelGroupReader mgr = delegator.getModelGroupReader()
List<Map<String,String>> groups = []
mgr.getGroupNames(delegator.getDelegatorName()).each { String group ->
groups.add(0, ['group': group]) //use for list-option in widget drop-down
}

int numberOfColumns = rsmd.getColumnCount()
for (int i = 1; i <= numberOfColumns; i++) {
columns.add(rsmd.getColumnLabel(i))
}
if (sqlCommand && selGroup) {
try (SQLProcessor du = new SQLProcessor(delegator, delegator.getGroupHelperInfo(selGroup))) {
if (sqlCommand.toUpperCase().startsWith('SELECT')) {
try (ResultSet rs = du.executeQuery(sqlCommand)) {
ResultSetMetaData rsmd = rs.getMetaData()

boolean rowLimitReached = false
while (rs.next()) {
if (records.size() >= rowLimit) {
rowLimitReached = true
break
int numberOfColumns = rsmd.getColumnCount()
for (int i = 1; i <= numberOfColumns; i++) {
columns.add(rsmd.getColumnLabel(i))
}

List<Object> record = []
for (int i = 1; i <= numberOfColumns; i++) {
record.add(rs.getObject(i))
boolean rowLimitReached = false
while (rs.next()) {
if (records.size() >= rowLimit) {
rowLimitReached = true
break
}

List<Object> record = []
for (int i = 1; i <= numberOfColumns; i++) {
record.add(rs.getObject(i))
}
records.add(record)
}
records.add(record)

resultMessage = "Returned ${rowLimitReached ? '' : 'top'} ${records.size() as String} rows."
}
} else {
if (sqlCommand.toUpperCase().contains('SYSCS_UTIL.SYSCS_EXPORT_TABLE')
|| sqlCommand.toUpperCase().contains('JSP')) {
context.resultMessage = 'Not executed for security reason'
context.groups = groups
context.columns = columns
context.records = records
context.sqlCommand = sqlCommand
return
}

resultMessage = "Returned ${rowLimitReached ? '' : 'top'} ${records.size() as String} rows."
}
} else {
if (sqlCommand.toUpperCase().contains('SYSCS_UTIL.SYSCS_EXPORT_TABLE')
|| sqlCommand.toUpperCase().contains('JSP')) {
context.resultMessage = 'Not executed for security reason'
context.groups = groups
context.columns = columns
context.records = records
context.sqlCommand = sqlCommand
return
du.prepareStatement(sqlCommand)
numOfAffectedRows = du.executeUpdate()
resultMessage = "Affected $numOfAffectedRows rows."
}

du.prepareStatement(sqlCommand)
numOfAffectedRows = du.executeUpdate()
resultMessage = "Affected $numOfAffectedRows rows."
} catch (Exception exc) {
resultMessage = exc.getMessage()
}
} catch (Exception exc) {
resultMessage = exc.getMessage()
}
}

context.groups = groups
context.resultMessage = resultMessage
context.columns = columns
context.records = records
context.sqlCommand = sqlCommand // (see OFBIZ-6567)
context.groups = groups
context.resultMessage = resultMessage
context.columns = columns
context.records = records
context.sqlCommand = sqlCommand // (see OFBIZ-6567)
}
Loading
Loading