From 52cf5dfa6f8a3463cf52a0d114cf9d12d5ff05be Mon Sep 17 00:00:00 2001
From: Gabriel Albuquerque <gabriel.albuquerque@liferay.com>
Date: Thu, 17 Aug 2023 20:05:17 -0300
Subject: [PATCH] LPS-193812 Only allowed bundles can manage system object
 relationships

---
 .../v1_0/ObjectRelationshipResourceImpl.java  | 16 +++++++++-----
 .../ObjectRelationshipLocalServiceImpl.java   | 21 +++++++++++++++++++
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/modules/apps/object/object-admin-rest-impl/src/main/java/com/liferay/object/admin/rest/internal/resource/v1_0/ObjectRelationshipResourceImpl.java b/modules/apps/object/object-admin-rest-impl/src/main/java/com/liferay/object/admin/rest/internal/resource/v1_0/ObjectRelationshipResourceImpl.java
index 3fe98e91a9217e..9aad3556813d50 100644
--- a/modules/apps/object/object-admin-rest-impl/src/main/java/com/liferay/object/admin/rest/internal/resource/v1_0/ObjectRelationshipResourceImpl.java
+++ b/modules/apps/object/object-admin-rest-impl/src/main/java/com/liferay/object/admin/rest/internal/resource/v1_0/ObjectRelationshipResourceImpl.java
@@ -294,11 +294,17 @@ private ObjectRelationship _toObjectRelationship(
 				false,
 				HashMapBuilder.put(
 					"delete",
-					addAction(
-						ActionKeys.DELETE, "deleteObjectRelationship",
-						com.liferay.object.model.ObjectDefinition.class.
-							getName(),
-						objectRelationship.getObjectDefinitionId1())
+					() -> {
+						if (objectRelationship.isSystem()) {
+							return null;
+						}
+
+						return addAction(
+							ActionKeys.DELETE, "deleteObjectRelationship",
+							com.liferay.object.model.ObjectDefinition.class.
+								getName(),
+							objectRelationship.getObjectDefinitionId1());
+					}
 				).build(),
 				null, null, contextAcceptLanguage.getPreferredLocale(), null,
 				null),
diff --git a/modules/apps/object/object-service/src/main/java/com/liferay/object/service/impl/ObjectRelationshipLocalServiceImpl.java b/modules/apps/object/object-service/src/main/java/com/liferay/object/service/impl/ObjectRelationshipLocalServiceImpl.java
index 0d2ea8236942b4..03b9aa11374797 100644
--- a/modules/apps/object/object-service/src/main/java/com/liferay/object/service/impl/ObjectRelationshipLocalServiceImpl.java
+++ b/modules/apps/object/object-service/src/main/java/com/liferay/object/service/impl/ObjectRelationshipLocalServiceImpl.java
@@ -15,6 +15,7 @@
 import com.liferay.object.exception.ObjectRelationshipNameException;
 import com.liferay.object.exception.ObjectRelationshipParameterObjectFieldIdException;
 import com.liferay.object.exception.ObjectRelationshipReverseException;
+import com.liferay.object.exception.ObjectRelationshipSystemException;
 import com.liferay.object.exception.ObjectRelationshipTypeException;
 import com.liferay.object.internal.dao.db.ObjectDBManagerUtil;
 import com.liferay.object.internal.info.collection.provider.RelatedInfoCollectionProviderFactory;
@@ -37,6 +38,7 @@
 import com.liferay.object.system.JaxRsApplicationDescriptor;
 import com.liferay.object.system.SystemObjectDefinitionManager;
 import com.liferay.object.system.SystemObjectDefinitionManagerRegistry;
+import com.liferay.object.system.util.SystemUtil;
 import com.liferay.osgi.util.service.Snapshot;
 import com.liferay.petra.sql.dsl.Column;
 import com.liferay.petra.sql.dsl.DSLQueryFactoryUtil;
@@ -286,6 +288,13 @@ public ObjectRelationship deleteObjectRelationship(
 				"Reverse object relationships cannot be deleted");
 		}
 
+		if (objectRelationship.isSystem() &&
+			!SystemUtil.allowManageSystemEntities()) {
+
+			throw new ObjectRelationshipSystemException(
+				"Only allowed bundles can delete system relationships");
+		}
+
 		objectRelationship = objectRelationshipPersistence.remove(
 			objectRelationship);
 
@@ -701,6 +710,13 @@ public ObjectRelationship updateObjectRelationship(
 			objectRelationshipPersistence.findByPrimaryKey(
 				objectRelationshipId);
 
+		if (objectRelationship.isSystem() &&
+			!SystemUtil.allowManageSystemEntities()) {
+
+			throw new ObjectRelationshipSystemException(
+				"Only allowed bundles can update system relationships");
+		}
+
 		if (objectRelationship.isReverse()) {
 			throw new ObjectRelationshipReverseException(
 				"Reverse object relationships cannot be updated");
@@ -844,6 +860,11 @@ private ObjectRelationship _addObjectRelationship(
 			boolean system, String type)
 		throws PortalException {
 
+		if (system && !SystemUtil.allowManageSystemEntities()) {
+			throw new ObjectRelationshipSystemException(
+				"Only allowed bundles can create system relationships");
+		}
+
 		_validateName(objectDefinitionId1, name);
 
 		ObjectDefinition objectDefinition1 =