Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0018987 | Openbravo ERP | 01. General setup | public | 2011-11-06 18:39 | 2012-03-02 15:37 |
|
| Reporter | pjuvara | |
| Assigned To | alostale | |
| Priority | normal | Severity | critical | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | 3.0MP4.1 | |
| Target Version | | Fixed in Version | 3.0MP9 | |
| Merge Request Status | |
| Review Assigned To | |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0018987: Inconsistent security access for menus between system client and other clients |
| Description | In Openbravo the menu definition is done at system level and it should not be possible to see it and modify it at client level.
However, if I connect with a client admin role, I can open the Menu window. While I cannot see the records, I can open the menu tree, see the data and change the order of the records.
The changes commit successfully and impact the whole system; this mean that the admin user of one client is able to affect the behavior of all the other clients, including system.
In a multi-client environment this is a big issue. |
| Steps To Reproduce | See video |
| Proposed Solution | You should not be able to open the tree with a client admin role. |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2011-11-06 18:39 | pjuvara | New Issue | |
| 2011-11-06 18:39 | pjuvara | Assigned To | => jonalegriaesarte |
| 2011-11-06 18:39 | pjuvara | Modules | => Core |
| 2011-11-06 18:40 | pjuvara | Issue Monitored: pjuvara | |
| 2011-11-06 18:40 | pjuvara | Issue Monitored: iciordia | |
| 2012-02-15 19:04 | iciordia | Assigned To | jonalegriaesarte => vmromanos |
| 2012-02-16 17:51 | vmromanos | Assigned To | vmromanos => alostale |
| 2012-02-17 11:35 | hgbot | Checkin | |
| 2012-02-17 11:35 | hgbot | Note Added: 0045231 | |
| 2012-02-17 11:35 | hgbot | Status | new => resolved |
| 2012-02-17 11:35 | hgbot | Resolution | open => fixed |
| 2012-02-17 11:35 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/6409589a6ef9a4e6b856c12b61dd04d03fd1f9c5 [^] |
| 2012-02-17 11:42 | alostale | Note Added: 0045232 | |
| 2012-02-17 12:09 | AugustoMauch | Note Added: 0045233 | |
| 2012-02-17 12:09 | AugustoMauch | Status | resolved => closed |
| 2012-02-17 12:09 | AugustoMauch | Fixed in Version | => 3.0MP9 |
| 2012-03-02 15:37 | hudsonbot | Checkin | |
| 2012-03-02 15:37 | hudsonbot | Note Added: 0045880 | |
|
Notes |
|
|
(0045231)
|
|
hgbot
|
|
2012-02-17 11:35
|
|
|
|
|
|
Added access check for parent window to tree popup: no regression risk.
Test plan:
-Menu tree still works for Sys Admin: it opens and it is possible to rearrange items.
-Using Client Admin role trying to open the tree popup shows an error popup
-Other trees (such as Organization and account tree) still work |
|
|
|
|
|
Code reviewed and verified |
|
|
|
|
|