Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0010966 | Openbravo ERP | Y. DBSourceManager | public | 2009-10-14 14:15 | 2009-10-23 00:01 |
|
| Reporter | walle | |
| Assigned To | mtaal | |
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 20 | OS Version | rPath Linux |
| Product Version | 2.50MP6 | |
| Target Version | | Fixed in Version | pi | |
| Merge Request Status | |
| Review Assigned To | |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0010966: Webservices - Access rights |
| Description | The webservices Access rights are not the same as for Openbravo ERP.
This means as normal user which has no rights to open the window role.
with webservices can see all roles.
|
| Steps To Reproduce | logon with a user which has no rights to open the role. for example
with a user which has rights only for a certain organisation.
When the user has assigned the role window, he can not open it,
but with the following url he can see all roles and other settings
http://openbravohost:8180/context/ws/dal/ADRole [^] |
| Proposed Solution | . |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2009-10-14 14:15 | walle | New Issue | |
| 2009-10-14 14:15 | walle | Assigned To | => marvintm |
| 2009-10-14 14:42 | marvintm | Assigned To | marvintm => mtaal |
| 2009-10-16 13:44 | psarobe | Status | new => scheduled |
| 2009-10-16 13:44 | psarobe | fix_in_branch | => pi |
| 2009-10-19 10:47 | mtaal | Note Added: 0021155 | |
| 2009-10-19 10:47 | mtaal | Status | scheduled => feedback |
| 2009-10-19 20:17 | walle | Note Added: 0021191 | |
| 2009-10-22 11:07 | mtaal | Status | feedback => scheduled |
| 2009-10-22 11:07 | mtaal | Note Added: 0021317 | |
| 2009-10-22 11:11 | mtaal | Status | scheduled => resolved |
| 2009-10-22 11:11 | mtaal | Fixed in Version | => pi |
| 2009-10-22 11:11 | mtaal | Fixed in SCM revision | => 5281 |
| 2009-10-22 11:11 | mtaal | Resolution | open => fixed |
| 2009-10-22 11:11 | mtaal | Note Added: 0021318 | |
| 2009-10-22 11:21 | plujan | Status | resolved => closed |
| 2009-10-23 00:01 | anonymous | sf_bug_id | 0 => 2884262 |
|
Notes |
|
|
(0021155)
|
|
mtaal
|
|
2009-10-19 10:47
|
|
Hi,
I did a test and it worked fine with me. I use the standard Openbravo SmallBazaar demo set. logged in with Openbravo/openbravo and then changed the role to Finance. Then I tried the url you mention in your bugreport and I get this error message (which is correct):
<ob:error xmlns:ob="http://www.openbravo.com"><message>Entity [^] ADRole is not readable by the user 100</message></ob:error>
Did you try with the Openbravo Smallbazaar test set? Can you elaborate a bit more on what steps you took to reproduce this exception?
gr. Martin |
|
|
|
(0021191)
|
|
walle
|
|
2009-10-19 20:17
|
|
HI...
Ok, this is the constellation
Created new client.
Created new organization (generic)
Created new standard role (not manual) on organization level (not client/organization)
created new user and assigned the created org-role to the user.
when the user logs in, he can see the Role window in the menu, but when he clicks on Role he get the message that he has not the rights with the current role, that is because of the rights level of the window himself and is ok.
but now you go to the url as discussed and the user can see every information about roles of the current client. (the role is only a example, is working in same way also for other windows)
If you remove the Role Window from the org-role rights, then the user is not seeing the menu item, and also in the webservices he can not see all information, but he can still see the role names.
I hope my explanation was understandable.
BR, Walter |
|
|
|
(0021317)
|
|
mtaal
|
|
2009-10-22 11:07
|
|
Hi Walter,
Thanks, this issue was/is related to the access level which was not checked correctly by the webservice. I have solved this, the solution is available in Mercurial.
gr. Martin |
|
|
|
(0021318)
|
|
mtaal
|
|
2009-10-22 11:11
|
|
|
DAL now also uses data and user access level for checking access |
|