Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0012594Openbravo ERPA. Platformpublic2010-03-08 13:302010-05-19 00:00
Reportermtaal 
Assigned Tomtaal 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Versionpi 
Target VersionpiFixed in Version 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0012594: Make setting of administrator mode less vulnerable for wrong usage
DescriptionMake setting of administrator mode less vulnerable for wrong usage. The current approach is this:
bool oldMode = ...setAdminMode(true)
try {
}finally {
   setAdminMode(oldMode)
}

If one forgets to use the oldMode variable and instead does: setAdminMode(false) then this gives unpredictable results.

The following api is less vulnerable:

setInAdminMode();
try {
} finally {
restorePreviousAdminMode();
}
Steps To Reproduce
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
Attached Filespatch adminmode3.patch (90,766) 2010-05-03 21:58
https://issues.openbravo.com/file_download.php?file_id=2517&type=bug
Issue History
Date ModifiedUsernameFieldChange
2010-03-08 13:30mtaalNew Issue
2010-03-08 13:30mtaalAssigned To => mtaal
2010-03-08 14:29shuehnerIssue Monitored: shuehner
2010-03-08 15:35alostaleStatusnew => scheduled
2010-03-08 15:35alostalefix_in_branch => pi
2010-03-19 19:37hgbotCheckin
2010-03-19 19:37hgbotNote Added: 0025626
2010-04-19 21:10hudsonbotCheckin
2010-04-19 21:10hudsonbotNote Added: 0026358
2010-05-03 10:13mtaalFile Added: adminmode.patch
2010-05-03 17:44mtaalFile Deleted: adminmode.patch
2010-05-03 17:44mtaalFile Added: adminmode2.patch
2010-05-03 21:58mtaalFile Deleted: adminmode2.patch
2010-05-03 21:58mtaalFile Added: adminmode3.patch
2010-05-05 14:18hgbotCheckin
2010-05-05 14:18hgbotNote Added: 0026957
2010-05-05 14:18hgbotStatusscheduled => resolved
2010-05-05 14:18hgbotResolutionopen => fixed
2010-05-05 14:18hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/57390029073861fd9eef7115fa83812d18d6cc09 [^]
2010-05-18 13:34shuehnerNote Added: 0027420
2010-05-18 13:34shuehnerStatusresolved => closed
2010-05-18 21:43hudsonbotCheckin
2010-05-18 21:43hudsonbotNote Added: 0027481
2010-05-19 00:00anonymoussf_bug_id0 => 3003669

Notes
(0025626)
hgbot   
2010-03-19 19:37   
Repository: erp/devel/pi
Changeset: 9fb31e4618ba3b4893f68d0920e28e580207a1a8
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Fri Mar 19 19:45:23 2010 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/9fb31e4618ba3b4893f68d0920e28e580207a1a8 [^]

Removed test for issue 12594, unintentionally committed

---
M src-test/org/openbravo/test/dal/IssuesTest.java
---
(0026358)
hudsonbot   
2010-04-19 21:10   
A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated:

Changeset: http://code.openbravo.com/erp/devel/main/rev/9fb31e4618ba [^]
Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/91d98bda46c1 [^]
Tests: http://builds.openbravo.com/view/devel-int/ [^]
OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.17088.obx [^]
(0026957)
hgbot   
2010-05-05 14:18   
Repository: erp/devel/pi
Changeset: 57390029073861fd9eef7115fa83812d18d6cc09
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Wed May 05 14:18:16 2010 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/57390029073861fd9eef7115fa83812d18d6cc09 [^]

fixes issue 12594: Make setting of administrator mode less vulnerable for wrong usage
fixes issue 12660: OBContext enableAsAdminContext - resetAsAdminContext should use an stack

---
M src-test/org/openbravo/test/base/BaseTest.java
M src-test/org/openbravo/test/dal/OBContextTest.java
M src-test/org/openbravo/test/model/UtilsTest.java
M src-test/org/openbravo/test/xml/EntityXMLImportTestBusinessObject.java
M src-test/org/openbravo/test/xml/EntityXMLImportTestReference.java
M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
M src/org/openbravo/base/secureApp/LoginHandler.java
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/base/secureApp/UserLock.java
M src/org/openbravo/base/secureApp/VariablesSecureApp.java
M src/org/openbravo/dal/core/DalInitializingTask.java
M src/org/openbravo/dal/core/DalRequestFilter.java
M src/org/openbravo/dal/core/OBContext.java
M src/org/openbravo/dal/core/TriggerHandler.java
M src/org/openbravo/dal/security/EntityAccessChecker.java
M src/org/openbravo/dal/xml/EntityResolver.java
M src/org/openbravo/dal/xml/EntityXMLConverter.java
M src/org/openbravo/erpCommon/ad_callouts/SL_GlobalUse_Product.java
M src/org/openbravo/erpCommon/ad_callouts/SL_InOutLine_Product.java
M src/org/openbravo/erpCommon/ad_callouts/SL_Internal_Consumption_Product.java
M src/org/openbravo/erpCommon/ad_callouts/SL_Inventory_Product.java
M src/org/openbravo/erpCommon/ad_callouts/SL_Movement_Product.java
M src/org/openbravo/erpCommon/ad_callouts/SL_PC_Case_Product.java
M src/org/openbravo/erpCommon/ad_callouts/SL_Production_Product.java
M src/org/openbravo/erpCommon/ad_callouts/SL_RequisitionLine_Product.java
M src/org/openbravo/erpCommon/ad_forms/About.java
M src/org/openbravo/erpCommon/ad_forms/DocFINFinAccTransaction.java
M src/org/openbravo/erpCommon/ad_forms/DocFINPayment.java
M src/org/openbravo/erpCommon/ad_forms/DocFINReconciliation.java
M src/org/openbravo/erpCommon/ad_forms/InitialOrgSetup.java
M src/org/openbravo/erpCommon/ad_forms/Role.java
M src/org/openbravo/erpCommon/ad_process/ApplyModules.java
M src/org/openbravo/erpCommon/ad_process/CreateCustomModule.java
M src/org/openbravo/erpCommon/ad_process/PaymentMonitor.java
M src/org/openbravo/erpCommon/businessUtility/AuditTrailPopup.java
M src/org/openbravo/erpCommon/info/AttributeSetInstance.java
M src/org/openbravo/erpCommon/info/ImageInfoBLOB.java
M src/org/openbravo/erpCommon/modules/ModuleUtiltiy.java
M src/org/openbravo/erpCommon/obps/ActivationKey.java
M src/org/openbravo/erpCommon/obps/CheckCleanCache.java
M src/org/openbravo/erpCommon/obps/GetOpenbravoLogo.java
M src/org/openbravo/erpCommon/security/Login.java
M src/org/openbravo/erpCommon/security/Menu.java
M src/org/openbravo/erpCommon/security/SessionLogin.java
M src/org/openbravo/erpCommon/utility/ImageToDatabaseLoader.java
M src/org/openbravo/erpCommon/utility/ShowImage.java
M src/org/openbravo/erpCommon/utility/ShowImageLogo.java
M src/org/openbravo/erpCommon/utility/ToolBar.java
M src/org/openbravo/erpCommon/utility/UsedByLink.java
M src/org/openbravo/erpCommon/utility/Utility.java
M src/org/openbravo/erpCommon/utility/VerticalMenu.java
M src/org/openbravo/reference/Reference.java
M src/org/openbravo/reference/ui/UIList.java
M src/org/openbravo/service/dataset/DataSetService.java
M src/org/openbravo/service/db/CallProcess.java
M src/org/openbravo/service/db/DataExportService.java
M src/org/openbravo/service/db/DataImportService.java
M src/org/openbravo/service/system/SystemService.java
M src/org/openbravo/service/web/UserContextCache.java
---
(0027420)
shuehner   
2010-05-18 13:34   
Tested in pi/pg working fine. New/consistent api is introduced for enabling/disabling admin mode. All older api's for the same are deprecated. All core callers are already updated to use the new api. The deprecation warnings which will be shown by using non-updated code (in i.e. modules) will be hidden by default in the rebuild-popup but shown in the console and eclipse builds.
(0027481)
hudsonbot   
2010-05-18 21:43   
A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated:

Changeset: http://code.openbravo.com/erp/devel/main/rev/573900290738 [^]
Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/aa11838d5f80 [^]
Tests: http://builds.openbravo.com/view/devel-int/ [^]
OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.17380.obx [^]