Actions with confirmation or password: Prevent context menu backdoor

kasemir · kasemir · commit cedcd0c72e8f · 2025-04-15T14:07:55.000-04:00
diff --git a/app/display/runtime/src/main/java/org/csstudio/display/builder/runtime/app/ContextMenuSupport.java b/app/display/runtime/src/main/java/org/csstudio/display/builder/runtime/app/ContextMenuSupport.java
@@ -1,12 +1,15 @@
 /*******************************************************************************
- * Copyright (c) 2017-2020 Oak Ridge National Laboratory.
+ * Copyright (c) 2017-2025 Oak Ridge National Laboratory.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-v10.html
  *******************************************************************************/
 package org.csstudio.display.builder.runtime.app;
 
+import static org.csstudio.display.builder.model.properties.CommonWidgetProperties.propConfirmMessage;
+import static org.csstudio.display.builder.model.properties.CommonWidgetProperties.propPassword;
+
 import javafx.collections.ObservableList;
 import javafx.scene.Node;
 import javafx.scene.Parent;
@@ -127,12 +130,19 @@ private void fillMenu(Runnable setFocus, final Widget widget) {
         }
 
         // Widget actions
-        for (ActionInfo info : widget.propActions().getValue().getActions()) {
-            List<MenuItem> actionMenuItems = info.getContextMenuItems(RuntimeUtil.getExecutor(), widget);
-            if (actionMenuItems != null) {
-                items.addAll(actionMenuItems);
+        // Skip if widget requires password or confirmation dialog,
+        // because in here we would invoke actions without those constraints
+        final Optional<WidgetProperty<String>> pass = widget.checkProperty(propPassword);
+        final Optional<WidgetProperty<String>> prompt = widget.checkProperty(propConfirmMessage);
+        final boolean need_dialog = (pass.isPresent()  &&  !pass.get().getValue().isBlank())  ||
+                                  (prompt.isPresent()  &&  !prompt.get().getValue().isBlank());
+        if (! need_dialog)
+            for (ActionInfo info : widget.propActions().getValue().getActions()) {
+                List<MenuItem> actionMenuItems = info.getContextMenuItems(RuntimeUtil.getExecutor(), widget);
+                if (actionMenuItems != null) {
+                    items.addAll(actionMenuItems);
+                }
             }
-        }
 
         // Actions of the widget runtime
         final WidgetRuntime<Widget> runtime = RuntimeUtil.getRuntime(widget);
