Fix for ALF-2512 - ability to execute JavaScript via cmd servlet by a non-admin user disabled by default.

- user script execution privileges can be reactivated if required via web-client-config flag <allow-user-script-execute>

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@19933 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/web-client-config.xml

@@ -125,6 +125,10 @@
 	      <!-- against the current URL path is required. -->
 	      <!-- Set this flag to true to enable the check. -->
 	      <check-context-against-path>false</check-context-against-path>
+	      
+	      <!-- set true allow any user to execute JavaScript files via the command servlet -->
+	      <!-- since 3.3 only an admin authority can do this by default -->
+         <allow-user-script-execute>false</allow-user-script-execute>
       </client>
    </config>
 

source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java

@@ -28,15 +28,19 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.repo.jscript.ScriptableHashMap;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.web.app.Application;
 import org.alfresco.web.app.servlet.BaseServlet;
 import org.alfresco.web.bean.repository.Repository;
 import org.alfresco.web.bean.repository.User;
+import org.alfresco.web.config.ClientConfigElement;
+import org.springframework.extensions.config.ConfigService;
 
 /**
  * Script command processor implementation.
@@ -98,7 +102,7 @@ public final class ScriptCommandProcessor implements CommandProcessor
          }
       }
       
-      // check we can access the nodes specified
+      // check we can READ access the nodes specified
       PermissionService ps = Repository.getServiceRegistry(sc).getPermissionService();
       allowed = (ps.hasPermission(this.scriptRef, PermissionService.READ) == AccessStatus.ALLOWED);
       if (this.docRef != null)
@@ -106,7 +110,14 @@ public final class ScriptCommandProcessor implements CommandProcessor
          allowed &= (ps.hasPermission(this.docRef, PermissionService.READ) == AccessStatus.ALLOWED);
       }
       
-      // check that the user has at least READ access on the node - else redirect to the login page
+      // check to see if user is allowed to execute arbituary javascript
+      // by default only an admin authority can perform this action
+      ConfigService configService = Application.getConfigService(sc);
+      ClientConfigElement configElement = (ClientConfigElement)configService.getGlobalConfig().getConfigElement("client");
+      boolean allowScriptExecute = configElement.getAllowUserScriptExecute();
+      AuthorityService authService = Repository.getServiceRegistry(sc).getAuthorityService();
+      allowed &= (allowScriptExecute || authService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()));
+      
       return allowed;
    }
    

source/java/org/alfresco/web/config/ClientConfigElement.java

@@ -23,15 +23,15 @@ import java.util.List;
 
 import javax.faces.context.FacesContext;
 
-import org.springframework.extensions.config.ConfigElement;
 import org.alfresco.config.JNDIConstants;
-import org.springframework.extensions.config.element.ConfigElementAdapter;
 import org.alfresco.mbeans.VirtServerRegistry;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.ExpiringValueCache;
 import org.alfresco.web.bean.repository.Repository;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.extensions.config.ConfigElement;
+import org.springframework.extensions.config.element.ConfigElementAdapter;
 
 /**
  * Custom config element that represents config values for the client
@@ -82,7 +82,8 @@ public class ClientConfigElement extends ConfigElementAdapter
    private boolean userGroupAdmin = true;
    private boolean allowUserConfig = true;
    private int pickerSearchMinimum = 2;
-   private boolean checkContextAgainstPath = false;
+   private boolean checkContextAgainstPath = false;
+   private boolean allowUserScriptExecute = false;
    
    
    /**
@@ -312,8 +313,13 @@ public class ClientConfigElement extends ConfigElementAdapter
       if (newElement.getCheckContextAgainstPath() != combinedElement.getCheckContextAgainstPath())
       {
          combinedElement.setCheckContextAgainstPath(newElement.getCheckContextAgainstPath());
+      }
+      
+      if (newElement.getAllowUserScriptExecute() != combinedElement.getAllowUserScriptExecute())
+      {
+         combinedElement.setAllowUserScriptExecute(newElement.getAllowUserScriptExecute());
       }
-
+      
       return combinedElement;
    }
    
@@ -890,5 +896,21 @@ public class ClientConfigElement extends ConfigElementAdapter
    /*package*/ void setCheckContextAgainstPath(boolean checkContextAgainstPath)
    {
       this.checkContextAgainstPath = checkContextAgainstPath;
+   }
+   
+   /**
+    * @return true if any user can execute JavaScript via the command servlet
+    */
+   public boolean getAllowUserScriptExecute()
+   {
+      return this.allowUserScriptExecute;
+   }
+
+   /**
+    * @param allowUserScriptExecute true to allow any user to execute JavaScript via the command servlet
+    */
+   /*package*/ void setAllowUserScriptExecute(boolean allowUserScriptExecute)
+   {
+      this.allowUserScriptExecute = allowUserScriptExecute;
    }
 }

source/java/org/alfresco/web/config/ClientElementReader.java

@@ -22,11 +22,11 @@ package org.alfresco.web.config;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.alfresco.service.namespace.QName;
+import org.dom4j.Element;
 import org.springframework.extensions.config.ConfigElement;
 import org.springframework.extensions.config.ConfigException;
 import org.springframework.extensions.config.xml.elementreader.ConfigElementReader;
-import org.alfresco.service.namespace.QName;
-import org.dom4j.Element;
 
 /**
  * Custom element reader to parse config for client config values
@@ -66,7 +66,8 @@ public class ClientElementReader implements ConfigElementReader
    public static final String ELEMENT_USERGROUPADMIN = "user-group-admin";
    public static final String ELEMENT_ALLOWUSERCONFIG = "allow-user-config";
    public static final String ELEMENT_PICKERSEARCHMINIMUM = "picker-search-minimum";
-   public static final String ELEMENT_CHECKCONTEXTPATH = "check-context-against-path";
+   public static final String ELEMENT_CHECKCONTEXTPATH = "check-context-against-path";
+   public static final String ELEMENT_ALLOWUSERSCRIPTEXECUTE = "allow-user-script-execute";
    
    
    /**
@@ -325,7 +326,14 @@ public class ClientElementReader implements ConfigElementReader
          if (checkContextAgainstPath != null)
          {
             configElement.setCheckContextAgainstPath(Boolean.parseBoolean(checkContextAgainstPath.getTextTrim()));
-         }
+         }
+         
+         // get allow any user to execute javascript via the command servlet
+         Element allowUserScriptExecute = element.element(ELEMENT_ALLOWUSERSCRIPTEXECUTE);
+         if (allowUserScriptExecute != null)
+         {
+            configElement.setAllowUserScriptExecute(Boolean.parseBoolean(allowUserScriptExecute.getTextTrim()));
+         }
       }
       
       return configElement;