Fix for ALF-2512 - ability to execute JavaScript via cmd servlet by a non-admin user disabled by default.

- user script execution privileges can be reactivated if required via web-client-config flag <allow-user-script-execute> git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@19933 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2010-04-21 12:11:40 +00:00
parent 82dc2c6ab5
commit 4cae5cd7e7
4 changed files with 55 additions and 10 deletions
--- a/source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java
+++ b/source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java
@@ -28,15 +28,19 @@ import javax.servlet.http.HttpServletRequest;

 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.repo.jscript.ScriptableHashMap;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.web.app.Application;
 import org.alfresco.web.app.servlet.BaseServlet;
 import org.alfresco.web.bean.repository.Repository;
 import org.alfresco.web.bean.repository.User;
+import org.alfresco.web.config.ClientConfigElement;
+import org.springframework.extensions.config.ConfigService;

 /**
 * Script command processor implementation.
@@ -98,7 +102,7 @@ public final class ScriptCommandProcessor implements CommandProcessor
         }
      }
      
-      // check we can access the nodes specified
+      // check we can READ access the nodes specified
      PermissionService ps = Repository.getServiceRegistry(sc).getPermissionService();
      allowed = (ps.hasPermission(this.scriptRef, PermissionService.READ) == AccessStatus.ALLOWED);
      if (this.docRef != null)
@@ -106,7 +110,14 @@ public final class ScriptCommandProcessor implements CommandProcessor
         allowed &= (ps.hasPermission(this.docRef, PermissionService.READ) == AccessStatus.ALLOWED);
      }
      
-      // check that the user has at least READ access on the node - else redirect to the login page
+      // check to see if user is allowed to execute arbituary javascript
+      // by default only an admin authority can perform this action
+      ConfigService configService = Application.getConfigService(sc);
+      ClientConfigElement configElement = (ClientConfigElement)configService.getGlobalConfig().getConfigElement("client");
+      boolean allowScriptExecute = configElement.getAllowUserScriptExecute();
+      AuthorityService authService = Repository.getServiceRegistry(sc).getAuthorityService();
+      allowed &= (allowScriptExecute || authService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()));
+      
      return allowed;
   }