LPS-193812 Only allowed bundles can manage system object relationships

gabrielwas · Aug 24, 2023 · 52cf5df · 52cf5df
1 parent 18f736c
commit 52cf5df
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/.../com/liferay/object/admin/rest/internal/resource/v1_0/ObjectRelationshipResourceImpl.java b/.../com/liferay/object/admin/rest/internal/resource/v1_0/ObjectRelationshipResourceImpl.java
@@ -294,11 +294,17 @@ private ObjectRelationship _toObjectRelationship(
 				false,
 				HashMapBuilder.put(
 					"delete",
-					addAction(
-						ActionKeys.DELETE, "deleteObjectRelationship",
-						com.liferay.object.model.ObjectDefinition.class.
-							getName(),
-						objectRelationship.getObjectDefinitionId1())
+					() -> {
+						if (objectRelationship.isSystem()) {
+							return null;
+						}
+
+						return addAction(
+							ActionKeys.DELETE, "deleteObjectRelationship",
+							com.liferay.object.model.ObjectDefinition.class.
+								getName(),
+							objectRelationship.getObjectDefinitionId1());
+					}
 				).build(),
 				null, null, contextAcceptLanguage.getPreferredLocale(), null,
 				null),

diff --git a/...ice/src/main/java/com/liferay/object/service/impl/ObjectRelationshipLocalServiceImpl.java b/...ice/src/main/java/com/liferay/object/service/impl/ObjectRelationshipLocalServiceImpl.java
@@ -15,6 +15,7 @@
 import com.liferay.object.exception.ObjectRelationshipNameException;
 import com.liferay.object.exception.ObjectRelationshipParameterObjectFieldIdException;
 import com.liferay.object.exception.ObjectRelationshipReverseException;
+import com.liferay.object.exception.ObjectRelationshipSystemException;
 import com.liferay.object.exception.ObjectRelationshipTypeException;
 import com.liferay.object.internal.dao.db.ObjectDBManagerUtil;
 import com.liferay.object.internal.info.collection.provider.RelatedInfoCollectionProviderFactory;
@@ -37,6 +38,7 @@
 import com.liferay.object.system.JaxRsApplicationDescriptor;
 import com.liferay.object.system.SystemObjectDefinitionManager;
 import com.liferay.object.system.SystemObjectDefinitionManagerRegistry;
+import com.liferay.object.system.util.SystemUtil;
 import com.liferay.osgi.util.service.Snapshot;
 import com.liferay.petra.sql.dsl.Column;
 import com.liferay.petra.sql.dsl.DSLQueryFactoryUtil;
@@ -286,6 +288,13 @@ public ObjectRelationship deleteObjectRelationship(
 				"Reverse object relationships cannot be deleted");
 		}
 
+		if (objectRelationship.isSystem() &&
+			!SystemUtil.allowManageSystemEntities()) {
+
+			throw new ObjectRelationshipSystemException(
+				"Only allowed bundles can delete system relationships");
+		}
+
 		objectRelationship = objectRelationshipPersistence.remove(
 			objectRelationship);
 
@@ -701,6 +710,13 @@ public ObjectRelationship updateObjectRelationship(
 			objectRelationshipPersistence.findByPrimaryKey(
 				objectRelationshipId);
 
+		if (objectRelationship.isSystem() &&
+			!SystemUtil.allowManageSystemEntities()) {
+
+			throw new ObjectRelationshipSystemException(
+				"Only allowed bundles can update system relationships");
+		}
+
 		if (objectRelationship.isReverse()) {
 			throw new ObjectRelationshipReverseException(
 				"Reverse object relationships cannot be updated");
@@ -844,6 +860,11 @@ private ObjectRelationship _addObjectRelationship(
 			boolean system, String type)
 		throws PortalException {
 
+		if (system && !SystemUtil.allowManageSystemEntities()) {
+			throw new ObjectRelationshipSystemException(
+				"Only allowed bundles can create system relationships");
+		}
+
 		_validateName(objectDefinitionId1, name);
 
 		ObjectDefinition objectDefinition1 =