TRUNK-6203: Global properties access should be privileged. Remove aut…

…hentication check
openmrs · Feb 21, 2024 · ea611f1 · ea611f1
1 parent 47afc92
commit ea611f1
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 20 deletions.
diff --git a/api/src/main/java/org/openmrs/api/impl/AdministrationServiceImpl.java b/api/src/main/java/org/openmrs/api/impl/AdministrationServiceImpl.java
@@ -154,39 +154,46 @@ public String getGlobalProperty(String propertyName) throws APIException {
 		if (propertyName == null) {
 			return null;
 		}
+
+		User user = Context.getAuthenticatedUser();
+		GlobalProperty gp = dao.getGlobalPropertyObject(propertyName);
+
 		try {
 			Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
-			if (!Context.isAuthenticated()) {
-				if (!isAnonymouslyAccessible(propertyName)) {
-					log.info("UNAUTHORIZED ACCESS ATTEMPT TO PROPERTY: {}", propertyName);
-					throw new APIAuthenticationException("User is not authenticated");
-				}
+			if (user == null && !isAnonymouslyAccessible(gp)) {
+				log.warn("Property '{}' is not accessible anonymously.", propertyName);
+				throw new APIAuthenticationException("GlobalProperty.property.notAnonymous");
 			}
+		}
+		finally {
+			Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+		}
 
-		GlobalProperty gp = dao.getGlobalPropertyObject(propertyName);
+
 		if (gp != null) {
 			if (canViewGlobalProperty(gp)) {
 				return gp.getPropertyValue();
 			} else {
-				throw new APIException("GlobalProperty.error.privilege.required.view", new Object[] {
-				        gp.getViewPrivilege().getPrivilege(), propertyName });
+				throw new APIException("GlobalProperty.error.privilege.required.view",
+				        new Object[] { gp.getViewPrivilege().getPrivilege(), propertyName });
 			}
 		} else {
 			return null;
 		}
+
 	}
-	finally {
-		Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
-	}
-	}
 
-	private final Set<String> anonymouslyAccessibleProperties = new HashSet<>(Arrays.asList("owa.appBaseUrl", "login.url",
-	    "spa.baseUrl", "referenceapplication.locationUserPropertyName", "default_theme", "gzip.enabled",
-	    "ui2.extensionConfig.org.openmrs.ui.framework.mapResource", "default_locale", "timezone.conversions"));
+	String[] anonymousArray = { "owa.appBaseUrl", "login.url", "spa.baseUrl", "timezone.conversions", "default_theme",
+	        "gzip.enabled", "default_locale" };
+
+	private final Set<String> anonymouslyAccessibleProperties = new HashSet<>(Arrays.asList(anonymousArray));
 
-	private boolean isAnonymouslyAccessible(String propertyName) {
-		// Check if the property is in the set of anonymously accessible properties
-		return anonymouslyAccessibleProperties.contains(propertyName);
+	private boolean isAnonymouslyAccessible(GlobalProperty property) {
+		if (property == null) {
+			return true;
+		}
+		String prop = property.getProperty();
+		return anonymouslyAccessibleProperties.contains(prop);
 	}
 
 	private boolean canViewGlobalProperty(GlobalProperty property) {
@@ -238,6 +245,7 @@ public String getGlobalProperty(String propertyName, String defaultValue) throws
 		if (s == null) {
 			return defaultValue;
 		}
+
 		return s;
 	}
 

diff --git a/api/src/main/resources/messages.properties b/api/src/main/resources/messages.properties
@@ -1251,14 +1251,14 @@ GlobalProperty.error.name.required=Name required for new global property
 GlobalProperty.error.privilege.required.edit=Privilege: {0}, required to edit globalProperty: {1}
 GlobalProperty.error.privilege.required.purge=Privilege: {0}, required to purge globalProperty: {1}
 GlobalProperty.error.privilege.required.view=Privilege: {0}, required to view globalProperty: {1}
+GlobalProperty.property.notAnonymous=GlobalProperty: {0} not on list of anonymouly-accessed global properties
 GlobalProperty.saved=Global properties saved
 GlobalProperty.not.saved=Global properties not saved
 GlobalProperty.toDelete=Tagged for Deletion!
 
 GlobalProperty.error.loadVisitType=Global Property: visit.encounterTypeToVisitTypeMapping does not have a mapping for encounter type: {0}
 GlobalProperty.invalid.value=Invalid value for global property named: {0}
 GlobalProperty.missing=Missing global property named: {0}
-
 ServerLog.view=View Server Log
 ServerLog.view.title=Server Log
 

diff --git a/api/src/test/java/org/openmrs/api/AdministrationServiceTest.java b/api/src/test/java/org/openmrs/api/AdministrationServiceTest.java
@@ -613,7 +613,7 @@ public void getGlobalProperty_shouldReturnGlobalPropertyIfUserIsAllowedToView()
 
 		assertNotNull(adminService.getGlobalProperty(property.getProperty()));
 	}
-
+	
 	/**
 	 * @see org.openmrs.api.AdministrationService#getGlobalPropertyObject(java.lang.String)
 	 */
-Original file line number
+Diff line change
@@ Expand Up @@
     		assertNotNull(adminService.getGlobalProperty(property.getProperty()));
     	}
     	/**
     	 * @see org.openmrs.api.AdministrationService#getGlobalPropertyObject(java.lang.String)
     	 */
@@ Expand Down @@