TRUNK-6203: Global properties access should be privileged (#608)

openmrs · Jun 2, 2024 · 58cc4a9 · 58cc4a9
1 parent fcc0ee7
commit 58cc4a9
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/omod-common/src/main/java/org/openmrs/module/webservices/rest/web/RestUtil.java b/omod-common/src/main/java/org/openmrs/module/webservices/rest/web/RestUtil.java
@@ -48,6 +48,7 @@
 import org.openmrs.module.webservices.rest.web.resource.api.SubResource;
 import org.openmrs.module.webservices.validation.ValidationException;
 import org.openmrs.util.OpenmrsClassLoader;
+import org.openmrs.util.PrivilegeConstants;
 import org.springframework.validation.FieldError;
 import org.springframework.validation.ObjectError;
 import org.springframework.web.bind.ServletRequestBindingException;
@@ -210,8 +211,16 @@ public static boolean ipMatches(String ip, List<String> candidateIps) {
 	 * @return the list of IPs
 	 */
 	public static List<String> getAllowedIps() {
-		String allowedIpsProperty = Context.getAdministrationService()
-		        .getGlobalProperty(RestConstants.ALLOWED_IPS_GLOBAL_PROPERTY_NAME, "");
+		String allowedIpsProperty = "";
+		try {
+			Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+			allowedIpsProperty = Context.getAdministrationService()
+					.getGlobalProperty(RestConstants.ALLOWED_IPS_GLOBAL_PROPERTY_NAME, allowedIpsProperty);
+		}
+		finally {
+			Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
+		}
+
 
 		if (allowedIpsProperty.isEmpty()) {
 			return Collections.emptyList();

diff --git a/pom.xml b/pom.xml
@@ -33,7 +33,7 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<openmrs.version>1.9.10</openmrs.version>
+		<openmrs.version>1.11.6</openmrs.version>
 		<maven.compiler.source>1.6</maven.compiler.source>
 		<maven.compiler.target>1.6</maven.compiler.target>