TRUNK-6203: Global properties access should be privileged

Author: wikumChamith

api/src/main/java/org/openmrs/ui/framework/FormatterImpl.java

@@ -34,6 +34,7 @@
 import org.openmrs.ui.framework.formatter.FormatterService;
 import org.springframework.context.MessageSource;
 
+import static org.openmrs.ui.framework.UiFrameworkConstants.GET_GLOBAL_PROPERTIES;
 import static org.openmrs.util.TimeZoneUtil.toTimezone;
 
 /**
@@ -117,6 +118,7 @@ private boolean wholeNumber(Number n) {
 
 	private String format(Date d, Locale locale) {
 		DateFormat df;
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		boolean convertTimezones = BooleanUtils
 		        .toBoolean(administrationService.getGlobalProperty(UiFrameworkConstants.GP_TIMEZONE_CONVERSIONS));
 		if (convertTimezones) {
@@ -130,6 +132,7 @@ private String format(Date d, Locale locale) {
 		} else {
 			df = UiFrameworkUtil.getDateFormat(administrationService, locale);
 		}
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		return df.format(d);
 	}
 
@@ -276,7 +279,9 @@ private String format(PersonAddress personAddress, Locale locale) {
 				Object templates = MethodUtils.invokeExactMethod(addressSupport, "getAddressTemplate", null);
 				addressTemplate = ((List<?>) templates).get(0);
 			} else {
+				Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
 				String templateName = administrationService.getGlobalProperty(ADDRESS_LAYOUT_TEMPLATE_NAME_GP);
+				Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
 				if (templateName != null) {
 					addressTemplate = MethodUtils.invokeExactMethod(addressSupport, "getLayoutTemplateByName", templateName);
 				}

api/src/main/java/org/openmrs/ui/framework/UiFrameworkConstants.java

@@ -37,4 +37,6 @@ public class UiFrameworkConstants {
 	//The name of the user property that save the client timezone.
 	public static final String UP_CLIENT_TIMEZONE = "uiframework.client.timezone";
 
+	public static final String GET_GLOBAL_PROPERTIES = "Get Global Properties";
+	
 }

api/src/main/java/org/openmrs/ui/framework/UiFrameworkUtil.java

@@ -54,6 +54,8 @@
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.multipart.MultipartHttpServletRequest;
 
+import static org.openmrs.ui.framework.UiFrameworkConstants.GET_GLOBAL_PROPERTIES;
+
 public class UiFrameworkUtil {
 
 	private static Log log = LogFactory.getLog(UiFrameworkUtil.class);
@@ -667,9 +669,11 @@ private static String getRuntimeOrSystemProperty(String key) {
 	public static DateFormat getDateFormat(AdministrationService administrationService, Locale locale) {
 		String defaultFormat = "dd.MMM.yyyy";
 		if (administrationService != null) {
-			return new SimpleDateFormat(
-			        administrationService.getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_DATE_FORMAT, defaultFormat),
-			        locale);
+			Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+			String globalProperty = administrationService.getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_DATE_FORMAT,
+			    defaultFormat);
+			Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+			return new SimpleDateFormat(globalProperty, locale);
 		} else {
 			return new SimpleDateFormat(defaultFormat, locale);
 		}
@@ -678,8 +682,11 @@ public static DateFormat getDateFormat(AdministrationService administrationServi
 	public static DateFormat getDateTimeFormat(AdministrationService administrationService, Locale locale) {
 		String defaultFormat = "dd.MMM.yyyy, HH:mm:ss";
 		if (administrationService != null) {
-			return new SimpleDateFormat(administrationService
-			        .getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_DATETIME_FORMAT, defaultFormat), locale);
+			Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+			String globalProperty = administrationService
+			        .getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_DATETIME_FORMAT, defaultFormat);
+			Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+			return new SimpleDateFormat(globalProperty, locale);
 		} else {
 			return new SimpleDateFormat(defaultFormat, locale);
 		}
@@ -688,9 +695,11 @@ public static DateFormat getDateTimeFormat(AdministrationService administrationS
 	public static DateFormat getTimeFormat(AdministrationService administrationService, Locale locale) {
 		String defaultFormat = "hh:mm a";
 		if (administrationService != null) {
-			return new SimpleDateFormat(
-			        administrationService.getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_TIME_FORMAT, defaultFormat),
-			        locale);
+			Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+			String globalProperty = administrationService.getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_TIME_FORMAT,
+			    defaultFormat);
+			Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+			return new SimpleDateFormat(globalProperty, locale);
 		} else {
 			return new SimpleDateFormat(defaultFormat, locale);
 		}

api/src/main/java/org/openmrs/ui/framework/UiUtils.java

@@ -32,6 +32,7 @@
 import java.util.Map;
 import java.util.Random;
 
+import static org.openmrs.ui.framework.UiFrameworkConstants.GET_GLOBAL_PROPERTIES;
 import static org.openmrs.util.TimeZoneUtil.toTimezone;
 
 /**
@@ -643,36 +644,62 @@ public void setLocale(Locale locale) {
 	 * @return the value of the Global Property GP_TIMEZONE_CONVERSIONS
 	 */
 	public boolean convertTimezones() {
-		return BooleanUtils.toBoolean(
-		    Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.GP_TIMEZONE_CONVERSIONS));
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		String globalProperty = Context.getAdministrationService()
+		        .getGlobalProperty(UiFrameworkConstants.GP_TIMEZONE_CONVERSIONS);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		return BooleanUtils.toBoolean(globalProperty);
 	}
 
 	public String getJSDatetimeFormat() {
-		return Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_JS_DATETIME_FORMAT);
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		String globalProperty = Context.getAdministrationService()
+		        .getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_JS_DATETIME_FORMAT);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		return globalProperty;
 	}
 
 	public String getJSDateFormat() {
-		return Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_JS_DATE_FORMAT);
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		String globalProperty = Context.getAdministrationService()
+		        .getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_JS_DATE_FORMAT);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		return globalProperty;
 	}
 
 	public String getDatetimeFormat() {
-		return Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_DATETIME_FORMAT);
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		String globalProperty = Context.getAdministrationService()
+		        .getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_DATETIME_FORMAT);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		return globalProperty;
 	}
 
 	public String getDateFormat() {
-		return Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_DATE_FORMAT);
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		String globalProperty = Context.getAdministrationService()
+		        .getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_DATE_FORMAT);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		return globalProperty;
 	}
 
 	public String getTimeFormat() {
-		return Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_TIME_FORMAT);
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		String globalProperty = Context.getAdministrationService()
+		        .getGlobalProperty(UiFrameworkConstants.GP_FORMATTER_TIME_FORMAT);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		return globalProperty;
 	}
 
 	/**
 	 * @return the value of the User Property clientTimezone, that indicates the client timezone
 	 */
 	public String getClientTimezone() {
-		return Context.getAuthenticatedUser().getUserProperty(
-		    Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.UP_CLIENT_TIMEZONE));
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		String globalProperty = Context.getAdministrationService()
+		        .getGlobalProperty(UiFrameworkConstants.UP_CLIENT_TIMEZONE);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		return Context.getAuthenticatedUser().getUserProperty(globalProperty);
 	}
 
 	/**
@@ -683,12 +710,14 @@ public String getClientTimezone() {
 	public void setClientTimezone(String clientTimezone) {
 		try {
 			Context.addProxyPrivilege(PrivilegeConstants.EDIT_USERS);
+			Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
 			Context.getUserService().setUserProperty(Context.getAuthenticatedUser(),
 			    Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.UP_CLIENT_TIMEZONE),
 			    clientTimezone);
 		}
 		finally {
 			Context.removeProxyPrivilege(PrivilegeConstants.EDIT_USERS);
+			Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		}
 	}
 

api/src/main/java/org/openmrs/ui/framework/converter/StringToGlobalPropertyConverter.java

@@ -5,6 +5,8 @@
 import org.openmrs.api.context.Context;
 import org.springframework.core.convert.converter.Converter;
 
+import static org.openmrs.ui.framework.UiFrameworkConstants.GET_GLOBAL_PROPERTIES;
+
 /**
  * Note that this converts based on property name, not on id
  */
@@ -15,6 +17,9 @@ public GlobalProperty convert(String propertyName) {
 		if (StringUtils.isBlank(propertyName)) {
 			return null;
 		}
-		return Context.getAdministrationService().getGlobalPropertyObject(propertyName);
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		GlobalProperty globalPropertyObject = Context.getAdministrationService().getGlobalPropertyObject(propertyName);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
+		return globalPropertyObject;
 	}
 }

api/src/main/java/org/openmrs/ui/framework/extension/ExtensionManager.java

@@ -17,6 +17,8 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
+import static org.openmrs.ui.framework.UiFrameworkConstants.GET_GLOBAL_PROPERTIES;
+
 /**
  * Manager for extension points
  */
@@ -112,7 +114,9 @@ public <T extends Extension> Map<String, T> getExtensionsByClass(Class<T> clazz)
 	 *         the point has not been configured, this returns null.
 	 */
 	public List<String> getExtensionPointConfiguration(String pointId) {
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		String gp = Context.getAdministrationService().getGlobalProperty("ui2.extensionConfig." + pointId);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		return gp == null ? null : Arrays.asList(gp.split(","));
 	}
 
@@ -126,7 +130,9 @@ public List<String> getExtensionPointConfiguration(String pointId) {
 	 */
 	public void saveExtensionPointConfiguration(String pointId, String... uniqueIds) {
 		AdministrationService service = Context.getAdministrationService();
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		GlobalProperty gp = service.getGlobalPropertyObject("ui2.extensionConfig." + pointId);
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		if (uniqueIds.length == 0) {
 			if (gp != null)
 				service.purgeGlobalProperty(gp);

api/src/main/java/org/openmrs/util/TimeZoneUtil.java

@@ -24,6 +24,7 @@
 import java.util.TimeZone;
 
 import static org.joda.time.DateTimeZone.UTC;
+import static org.openmrs.ui.framework.UiFrameworkConstants.GET_GLOBAL_PROPERTIES;
 
 /**
  * Helps provide tools to support recommended OpenMRS time zones conventions.
@@ -40,8 +41,10 @@ public class TimeZoneUtil {
 	 * @return string with the date in the client timezone, formatted and ready to be displayed.
 	 */
 	public static String toTimezone(Date date, String format) {
+		Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		String clientTimezone = Context.getAuthenticatedUser().getUserProperty(
 		    Context.getAdministrationService().getGlobalProperty(UiFrameworkConstants.UP_CLIENT_TIMEZONE));
+		Context.removeProxyPrivilege(GET_GLOBAL_PROPERTIES);
 		return toTimezone(date, format, clientTimezone);
 	}
 

api/src/test/java/org/openmrs/ui/framework/FormatterImplTest.java

@@ -22,9 +22,10 @@
 import org.openmrs.EncounterType;
 import org.openmrs.Obs;
 import org.openmrs.Role;
-import org.openmrs.api.AdministrationService;
 import org.openmrs.User;
-import org.powermock.api.mockito.PowerMockito;
+import org.openmrs.api.AdministrationService;
+import org.openmrs.api.context.Context;
+import org.openmrs.api.context.UserContext;
 import org.springframework.context.MessageSource;
 
 import java.text.SimpleDateFormat;
@@ -54,6 +55,7 @@ public void setUp() {
 		administrationService = mock(AdministrationService.class);
 		messageSource = new MockMessageSource();
 		formatter = new MockFormatter(messageSource, administrationService);
+		Context.setUserContext(new UserContext());
 	}
 
 	@Test