Lps 193374

modules/apps/object/object-admin-rest-impl/src/main/java/com/liferay/object/admin/rest/internal/jaxrs/exception/mapper/ObjectValidationRuleEngineExceptionMapper.java

@@ -0,0 +1,54 @@
+/**
+ * SPDX-FileCopyrightText: (c) 2023 Liferay, Inc. https://liferay.com
+ * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06
+ */
+
+package com.liferay.object.admin.rest.internal.jaxrs.exception.mapper;
+
+import com.liferay.object.exception.ObjectValidationRuleEngineException;
+import com.liferay.portal.kernel.language.Language;
+import com.liferay.portal.vulcan.accept.language.AcceptLanguage;
+import com.liferay.portal.vulcan.jaxrs.exception.mapper.BaseExceptionMapper;
+import com.liferay.portal.vulcan.jaxrs.exception.mapper.Problem;
+
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ExceptionMapper;
+
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+
+/**
+ * @author Pedro Leite
+ */
+@Component(
+	property = {
+		"osgi.jaxrs.application.select=(osgi.jaxrs.name=Liferay.Object.Admin.REST)",
+		"osgi.jaxrs.extension=true",
+		"osgi.jaxrs.name=Liferay.Object.Admin.REST.ObjectValidationRuleEngineExceptionMapper"
+	},
+	service = ExceptionMapper.class
+)
+public class ObjectValidationRuleEngineExceptionMapper
+	extends BaseExceptionMapper<ObjectValidationRuleEngineException> {
+
+	@Override
+	protected Problem getProblem(
+		ObjectValidationRuleEngineException
+			objectValidationRuleEngineException) {
+
+		return new Problem(
+			Response.Status.BAD_REQUEST,
+			_language.get(
+				_acceptLanguage.getPreferredLocale(),
+				objectValidationRuleEngineException.getMessageKey(),
+				objectValidationRuleEngineException.getMessage()));
+	}
+
+	@Context
+	private AcceptLanguage _acceptLanguage;
+
+	@Reference
+	private Language _language;
+
+}

modules/apps/object/object-api/bnd.bnd

@@ -6,6 +6,7 @@ Export-Package:\
 	com.liferay.object.action.executor,\
 	com.liferay.object.action.trigger,\
 	com.liferay.object.configuration,\
+	com.liferay.object.configuration.util,\
 	com.liferay.object.constants,\
 	com.liferay.object.definition.notification.term.util,\
 	com.liferay.object.definition.tree,\

modules/apps/object/object-api/src/main/java/com/liferay/object/configuration/ObjectConfiguration.java

@@ -21,6 +21,13 @@
 )
 public interface ObjectConfiguration {
 
+	@Meta.AD(
+		deflt = "false",
+		description = "allow-administrators-execute-script-help",
+		name = "allow-administrators-execute-script", required = false
+	)
+	public boolean allowAdministratorsExecuteScript();
+
 	@Meta.AD(
 		deflt = "100",
 		description = "maximum-number-of-guest-user-object-entries-per-object-definition-help",

modules/apps/object/object-api/src/main/java/com/liferay/object/configuration/util/ObjectConfigurationUtil.java

@@ -0,0 +1,44 @@
+/**
+ * SPDX-FileCopyrightText: (c) 2023 Liferay, Inc. https://liferay.com
+ * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06
+ */
+
+package com.liferay.object.configuration.util;
+
+import com.liferay.object.configuration.ObjectConfiguration;
+import com.liferay.portal.kernel.exception.PortalException;
+import com.liferay.portal.kernel.module.configuration.ConfigurationProviderUtil;
+import com.liferay.portal.kernel.security.permission.PermissionChecker;
+
+/**
+ * @author Pedro Leite
+ */
+public class ObjectConfigurationUtil {
+
+	public static boolean hasPermissionExecuteScript(
+			PermissionChecker permissionChecker)
+		throws PortalException {
+
+		ObjectConfiguration objectConfiguration =
+			ConfigurationProviderUtil.getSystemConfiguration(
+				ObjectConfiguration.class);
+
+		if (permissionChecker.isOmniadmin() ||
+			(objectConfiguration.allowAdministratorsExecuteScript() &&
+			 permissionChecker.isCompanyAdmin())) {
+
+			return true;
+		}
+
+		return false;
+	}
+
+	public static int maximumFileSizeForGuestUsers() throws PortalException {
+		ObjectConfiguration objectConfiguration =
+			ConfigurationProviderUtil.getSystemConfiguration(
+				ObjectConfiguration.class);
+
+		return objectConfiguration.maximumFileSizeForGuestUsers();
+	}
+
+}

modules/apps/object/object-api/src/main/java/com/liferay/object/exception/ObjectValidationRuleEngineException.java

@@ -53,6 +53,15 @@ public InvalidScript() {
 
 	}
 
+	public static class MustHavePermissionEngineGroovy
+		extends ObjectValidationRuleEngineException {
+
+		public MustHavePermissionEngineGroovy() {
+			super("The user must have permission to choose engine Groovy.");
+		}
+
+	}
+
 	public static class MustNotBeNull
 		extends ObjectValidationRuleEngineException {
 

modules/apps/object/object-api/src/main/resources/com/liferay/object/configuration/packageinfo

@@ -1 +1 @@
-version 1.0.0
+version 2.0.0

modules/apps/object/object-api/src/main/resources/com/liferay/object/configuration/util/packageinfo

@@ -0,0 +1 @@
+version 1.0.0

modules/apps/object/object-service/build.gradle

@@ -49,6 +49,7 @@ dependencies {
 	compileOnly project(":apps:portal:portal-instance-lifecycle-api")
 	compileOnly project(":apps:static:osgi:osgi-util")
 	compileOnly project(":apps:static:portal-configuration:portal-configuration-metatype-api")
+	compileOnly project(":apps:static:portal-configuration:portal-configuration-persistence-api")
 	compileOnly project(":apps:static:portal:portal-upgrade-api")
 	compileOnly project(":apps:user-associated-data:user-associated-data-api")
 	compileOnly project(":core:osgi-service-tracker-collections")

modules/apps/object/object-service/src/main/java/com/liferay/object/internal/configuration/persistence/listener/ObjectConfigurationModelListener.java

@@ -0,0 +1,87 @@
+/**
+ * SPDX-FileCopyrightText: (c) 2023 Liferay, Inc. https://liferay.com
+ * SPDX-License-Identifier: LGPL-2.1-or-later OR LicenseRef-Liferay-DXP-EULA-2.0.0-2023-06
+ */
+
+package com.liferay.object.internal.configuration.persistence.listener;
+
+import com.liferay.object.constants.ObjectActionExecutorConstants;
+import com.liferay.object.constants.ObjectValidationRuleConstants;
+import com.liferay.object.model.ObjectAction;
+import com.liferay.object.model.ObjectValidationRule;
+import com.liferay.object.service.ObjectActionLocalService;
+import com.liferay.object.service.ObjectValidationRuleLocalService;
+import com.liferay.portal.configuration.persistence.listener.ConfigurationModelListener;
+import com.liferay.portal.kernel.dao.orm.QueryUtil;
+import com.liferay.portal.kernel.util.GetterUtil;
+import com.liferay.portal.kernel.util.Portal;
+import com.liferay.portal.kernel.util.StringUtil;
+
+import java.util.Dictionary;
+
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+
+/**
+ * @author Pedro Leite
+ */
+@Component(
+	property = "model.class.name=com.liferay.object.configuration.ObjectConfiguration",
+	service = ConfigurationModelListener.class
+)
+public class ObjectConfigurationModelListener
+	implements ConfigurationModelListener {
+
+	@Override
+	public void onAfterSave(String pid, Dictionary<String, Object> properties) {
+		boolean allowAdministratorsExecuteScript = GetterUtil.getBoolean(
+			properties.get("allowAdministratorsExecuteScript"));
+
+		if (!allowAdministratorsExecuteScript) {
+			long defaultCompanyId = _portal.getDefaultCompanyId();
+
+			for (ObjectAction objectAction :
+					_objectActionLocalService.getObjectActions(
+						QueryUtil.ALL_POS, QueryUtil.ALL_POS)) {
+
+				if ((objectAction.getCompanyId() != defaultCompanyId) &&
+					objectAction.isActive() &&
+					StringUtil.equals(
+						objectAction.getObjectActionExecutorKey(),
+						ObjectActionExecutorConstants.KEY_GROOVY)) {
+
+					objectAction.setActive(false);
+
+					_objectActionLocalService.updateObjectAction(objectAction);
+				}
+			}
+
+			for (ObjectValidationRule objectValidationRule :
+					_objectValidationRuleLocalService.getObjectValidationRules(
+						QueryUtil.ALL_POS, QueryUtil.ALL_POS)) {
+
+				if ((objectValidationRule.getCompanyId() != defaultCompanyId) &&
+					objectValidationRule.isActive() &&
+					StringUtil.equals(
+						objectValidationRule.getEngine(),
+						ObjectValidationRuleConstants.ENGINE_TYPE_GROOVY)) {
+
+					objectValidationRule.setActive(false);
+
+					_objectValidationRuleLocalService.
+						updateObjectValidationRule(objectValidationRule);
+				}
+			}
+		}
+	}
+
+	@Reference
+	private ObjectActionLocalService _objectActionLocalService;
+
+	@Reference
+	private ObjectValidationRuleLocalService _objectValidationRuleLocalService;
+
+	@Reference
+	private Portal _portal;
+
+}

modules/apps/object/object-service/src/main/java/com/liferay/object/service/impl/ObjectActionServiceImpl.java

@@ -5,17 +5,22 @@
 
 package com.liferay.object.service.impl;
 
+import com.liferay.object.configuration.util.ObjectConfigurationUtil;
+import com.liferay.object.constants.ObjectActionExecutorConstants;
+import com.liferay.object.exception.ObjectActionExecutorKeyException;
 import com.liferay.object.model.ObjectAction;
 import com.liferay.object.model.ObjectDefinition;
 import com.liferay.object.service.base.ObjectActionServiceBaseImpl;
 import com.liferay.portal.aop.AopService;
 import com.liferay.portal.kernel.exception.PortalException;
 import com.liferay.portal.kernel.security.permission.ActionKeys;
+import com.liferay.portal.kernel.security.permission.PermissionChecker;
 import com.liferay.portal.kernel.security.permission.resource.ModelResourcePermission;
 import com.liferay.portal.kernel.util.UnicodeProperties;
 
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 
 import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.Reference;
@@ -45,6 +50,9 @@ public ObjectAction addObjectAction(
 		_objectDefinitionModelResourcePermission.check(
 			getPermissionChecker(), objectDefinitionId, ActionKeys.UPDATE);
 
+		_validateConfigurationExecuteScript(
+			objectActionExecutorKey, getPermissionChecker());
+
 		return objectActionLocalService.addObjectAction(
 			externalReferenceCode, getUserId(), objectDefinitionId, active,
 			conditionExpression, description, errorMessageMap, labelMap, name,
@@ -97,13 +105,32 @@ public ObjectAction updateObjectAction(
 			getPermissionChecker(), objectAction.getObjectDefinitionId(),
 			ActionKeys.UPDATE);
 
+		_validateConfigurationExecuteScript(
+			objectActionExecutorKey, getPermissionChecker());
+
 		return objectActionLocalService.updateObjectAction(
 			externalReferenceCode, objectActionId, active, conditionExpression,
 			description, errorMessageMap, labelMap, name,
 			objectActionExecutorKey, objectActionTriggerKey,
 			parametersUnicodeProperties);
 	}
 
+	private void _validateConfigurationExecuteScript(
+			String objectActionExecutorKey, PermissionChecker permissionChecker)
+		throws PortalException {
+
+		if (Objects.equals(
+				objectActionExecutorKey,
+				ObjectActionExecutorConstants.KEY_GROOVY) &&
+			!ObjectConfigurationUtil.hasPermissionExecuteScript(
+				permissionChecker)) {
+
+			throw new ObjectActionExecutorKeyException(
+				"The user must have permission to choose object action " +
+					"executor key Groovy");
+		}
+	}
+
 	@Reference(
 		target = "(model.class.name=com.liferay.object.model.ObjectDefinition)"
 	)

modules/apps/object/object-service/src/main/java/com/liferay/object/service/impl/ObjectValidationRuleServiceImpl.java

@@ -5,18 +5,23 @@
 
 package com.liferay.object.service.impl;
 
+import com.liferay.object.configuration.util.ObjectConfigurationUtil;
+import com.liferay.object.constants.ObjectValidationRuleConstants;
+import com.liferay.object.exception.ObjectValidationRuleEngineException;
 import com.liferay.object.model.ObjectDefinition;
 import com.liferay.object.model.ObjectValidationRule;
 import com.liferay.object.model.ObjectValidationRuleSetting;
 import com.liferay.object.service.base.ObjectValidationRuleServiceBaseImpl;
 import com.liferay.portal.aop.AopService;
 import com.liferay.portal.kernel.exception.PortalException;
 import com.liferay.portal.kernel.security.permission.ActionKeys;
+import com.liferay.portal.kernel.security.permission.PermissionChecker;
 import com.liferay.portal.kernel.security.permission.resource.ModelResourcePermission;
 
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 
 import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.Reference;
@@ -45,6 +50,8 @@ public ObjectValidationRule addObjectValidationRule(
 		_objectDefinitionModelResourcePermission.check(
 			getPermissionChecker(), objectDefinitionId, ActionKeys.UPDATE);
 
+		_validateConfigurationExecuteScript(engine, getPermissionChecker());
+
 		return objectValidationRuleLocalService.addObjectValidationRule(
 			getUserId(), objectDefinitionId, active, engine, errorLabelMap,
 			nameMap, outputType, script, objectValidationRuleSettings);
@@ -100,11 +107,27 @@ public ObjectValidationRule updateObjectValidationRule(
 			getPermissionChecker(),
 			objectValidationRule.getObjectDefinitionId(), ActionKeys.UPDATE);
 
+		_validateConfigurationExecuteScript(engine, getPermissionChecker());
+
 		return objectValidationRuleLocalService.updateObjectValidationRule(
 			objectValidationRuleId, active, engine, errorLabelMap, nameMap,
 			outputType, script, objectValidationRuleSettings);
 	}
 
+	private void _validateConfigurationExecuteScript(
+			String engine, PermissionChecker permissionChecker)
+		throws PortalException {
+
+		if (Objects.equals(
+				engine, ObjectValidationRuleConstants.ENGINE_TYPE_GROOVY) &&
+			!ObjectConfigurationUtil.hasPermissionExecuteScript(
+				permissionChecker)) {
+
+			throw new ObjectValidationRuleEngineException.
+				MustHavePermissionEngineGroovy();
+		}
+	}
+
 	@Reference(
 		target = "(model.class.name=com.liferay.object.model.ObjectDefinition)"
 	)