Fix for ALF-2512 - ability to execute JavaScript via cmd servlet by a non-admin user disabled by default.

- user script execution privileges can be reactivated if required via web-client-config flag <allow-user-script-execute> git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@19933 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2010-04-21 12:11:40 +00:00
parent 82dc2c6ab5
commit 4cae5cd7e7
4 changed files with 55 additions and 10 deletions
--- a/config/alfresco/web-client-config.xml
+++ b/config/alfresco/web-client-config.xml
@@ -125,6 +125,10 @@
 	      <!-- against the current URL path is required. -->
 	      <!-- Set this flag to true to enable the check. -->
 	      <check-context-against-path>false</check-context-against-path>
+	      
+	      <!-- set true allow any user to execute JavaScript files via the command servlet -->
+	      <!-- since 3.3 only an admin authority can do this by default -->
+         <allow-user-script-execute>false</allow-user-script-execute>
      </client>
   </config>

--- a/source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java
+++ b/source/java/org/alfresco/web/app/servlet/command/ScriptCommandProcessor.java
@@ -28,15 +28,19 @@ import javax.servlet.http.HttpServletRequest;

 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.repo.jscript.ScriptableHashMap;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.web.app.Application;
 import org.alfresco.web.app.servlet.BaseServlet;
 import org.alfresco.web.bean.repository.Repository;
 import org.alfresco.web.bean.repository.User;
+import org.alfresco.web.config.ClientConfigElement;
+import org.springframework.extensions.config.ConfigService;

 /**
 * Script command processor implementation.
@@ -98,7 +102,7 @@ public final class ScriptCommandProcessor implements CommandProcessor
         }
      }
      
-      // check we can access the nodes specified
+      // check we can READ access the nodes specified
      PermissionService ps = Repository.getServiceRegistry(sc).getPermissionService();
      allowed = (ps.hasPermission(this.scriptRef, PermissionService.READ) == AccessStatus.ALLOWED);
      if (this.docRef != null)
@@ -106,7 +110,14 @@ public final class ScriptCommandProcessor implements CommandProcessor
         allowed &= (ps.hasPermission(this.docRef, PermissionService.READ) == AccessStatus.ALLOWED);
      }
      
-      // check that the user has at least READ access on the node - else redirect to the login page
+      // check to see if user is allowed to execute arbituary javascript
+      // by default only an admin authority can perform this action
+      ConfigService configService = Application.getConfigService(sc);
+      ClientConfigElement configElement = (ClientConfigElement)configService.getGlobalConfig().getConfigElement("client");
+      boolean allowScriptExecute = configElement.getAllowUserScriptExecute();
+      AuthorityService authService = Repository.getServiceRegistry(sc).getAuthorityService();
+      allowed &= (allowScriptExecute || authService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()));
+      
      return allowed;
   }
   
--- a/source/java/org/alfresco/web/config/ClientConfigElement.java
+++ b/source/java/org/alfresco/web/config/ClientConfigElement.java
@@ -23,15 +23,15 @@ import java.util.List;

 import javax.faces.context.FacesContext;

-import org.springframework.extensions.config.ConfigElement;
 import org.alfresco.config.JNDIConstants;
-import org.springframework.extensions.config.element.ConfigElementAdapter;
 import org.alfresco.mbeans.VirtServerRegistry;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.ExpiringValueCache;
 import org.alfresco.web.bean.repository.Repository;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.extensions.config.ConfigElement;
+import org.springframework.extensions.config.element.ConfigElementAdapter;

 /**
 * Custom config element that represents config values for the client
@@ -83,6 +83,7 @@ public class ClientConfigElement extends ConfigElementAdapter
   private boolean allowUserConfig = true;
   private int pickerSearchMinimum = 2;
   private boolean checkContextAgainstPath = false;
+   private boolean allowUserScriptExecute = false;
   
   
   /**
@@ -314,6 +315,11 @@ public class ClientConfigElement extends ConfigElementAdapter
         combinedElement.setCheckContextAgainstPath(newElement.getCheckContextAgainstPath());
      }
      
+      if (newElement.getAllowUserScriptExecute() != combinedElement.getAllowUserScriptExecute())
+      {
+         combinedElement.setAllowUserScriptExecute(newElement.getAllowUserScriptExecute());
+      }
+      
      return combinedElement;
   }
   
@@ -891,4 +897,20 @@ public class ClientConfigElement extends ConfigElementAdapter
   {
      this.checkContextAgainstPath = checkContextAgainstPath;
   }
+   
+   /**
+    * @return true if any user can execute JavaScript via the command servlet
+    */
+   public boolean getAllowUserScriptExecute()
+   {
+      return this.allowUserScriptExecute;
+   }
+
+   /**
+    * @param allowUserScriptExecute true to allow any user to execute JavaScript via the command servlet
+    */
+   /*package*/ void setAllowUserScriptExecute(boolean allowUserScriptExecute)
+   {
+      this.allowUserScriptExecute = allowUserScriptExecute;
+   }
 }
--- a/source/java/org/alfresco/web/config/ClientElementReader.java
+++ b/source/java/org/alfresco/web/config/ClientElementReader.java
@@ -22,11 +22,11 @@ package org.alfresco.web.config;
 import java.util.ArrayList;
 import java.util.List;

+import org.alfresco.service.namespace.QName;
+import org.dom4j.Element;
 import org.springframework.extensions.config.ConfigElement;
 import org.springframework.extensions.config.ConfigException;
 import org.springframework.extensions.config.xml.elementreader.ConfigElementReader;
-import org.alfresco.service.namespace.QName;
-import org.dom4j.Element;

 /**
 * Custom element reader to parse config for client config values
@@ -67,6 +67,7 @@ public class ClientElementReader implements ConfigElementReader
   public static final String ELEMENT_ALLOWUSERCONFIG = "allow-user-config";
   public static final String ELEMENT_PICKERSEARCHMINIMUM = "picker-search-minimum";
   public static final String ELEMENT_CHECKCONTEXTPATH = "check-context-against-path";
+   public static final String ELEMENT_ALLOWUSERSCRIPTEXECUTE = "allow-user-script-execute";
   
   
   /**
@@ -326,6 +327,13 @@ public class ClientElementReader implements ConfigElementReader
         {
            configElement.setCheckContextAgainstPath(Boolean.parseBoolean(checkContextAgainstPath.getTextTrim()));
         }
+         
+         // get allow any user to execute javascript via the command servlet
+         Element allowUserScriptExecute = element.element(ELEMENT_ALLOWUSERSCRIPTEXECUTE);
+         if (allowUserScriptExecute != null)
+         {
+            configElement.setAllowUserScriptExecute(Boolean.parseBoolean(allowUserScriptExecute.getTextTrim()));
+         }
      }
      
      return configElement;