[ofbiz-plugins] branch release18.12 updated: Fixed: Disallow unauthorized users to use Solr (OFBIZ-12792)

Sun, 02 Apr 2023 03:07:27 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 582add7d3 Fixed: Disallow unauthorized users to use Solr (OFBIZ-12792)
582add7d3 is described below

commit 582add7d3cca2267b92667e9b594a27a34404e01
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sun Apr 2 12:05:55 2023 +0200

    Fixed: Disallow unauthorized users to use Solr (OFBIZ-12792)
    
    Adds a message explaining to unauthorized users they can't use Solr
---
 solr/config/SolrUiLabels.xml                                        | 6 ++++--
 .../java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java   | 6 ++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/solr/config/SolrUiLabels.xml b/solr/config/SolrUiLabels.xml
index edff6279d..340316019 100644
--- a/solr/config/SolrUiLabels.xml
+++ b/solr/config/SolrUiLabels.xml
@@ -45,7 +45,6 @@ under the License.
     <property key="SolrMissingProductCategoryId">
         <value xml:lang="en">Missing product category id.</value>
     </property>
-    
     <property key="SolrErrorManageLoginFirst">
         <value xml:lang="en">To manage Solr in OFBiz, you have to login first 
and have the permission to do so.</value>
     </property>
@@ -70,4 +69,7 @@ under the License.
     <property key="SolrErrorNoViewFilePermission">
         <value xml:lang="en">To view files of a Solr index in OFBiz, you 
should have the permission to do so.</value>
     </property>
-</resource>
\ No newline at end of file
+    <property key="SolrErrorUnauthorisedRequestForSecurityReason">
+        <value xml:lang="en">The request must be from an authorized 
user</value>
+    </property>
+</resource>
diff --git 
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java 
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
index be81be57b..ad1f5c074 100644
--- 
a/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
+++ 
b/solr/src/main/java/org/apache/ofbiz/solr/webapp/OFBizSolrContextFilter.java
@@ -81,6 +81,12 @@ public class OFBizSolrContextFilter extends 
SolrDispatchFilter {
 
         // check if the request is from an authorized user
         String servletPath = httpRequest.getServletPath();
+
+        if (servletPath.equals("/solrdefault/debug/dump")) {
+            sendJsonHeaderMessage(httpRequest, httpResponse, null, 
"SolrErrorUnauthorisedRequestForSecurityReason", null, locale);
+            return;
+        }
+
         if (UtilValidate.isNotEmpty(servletPath) && 
(servletPath.startsWith("/admin/") || servletPath.endsWith("/update")
                 || servletPath.endsWith("/update/json") || 
servletPath.endsWith("/update/csv") || servletPath.endsWith("/update/extract")
                 || servletPath.endsWith("/replication") || 
servletPath.endsWith("/file") || servletPath.endsWith("/file/"))) {

Reply via email to