Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0023518Openbravo ERPC. Securitypublic2013-04-09 17:212013-04-30 12:14
Reporteralostale 
Assigned Toalostale 
PriorityurgentSeverityminorReproducibilityN/A
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target Version3.0MP23Fixed in Version3.0MP23 
Merge Request Status
Review Assigned ToAugustoMauch
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0023518: Restrict Access to Portal sessions
DescriptionPortal sessions should have limited access to:

-Web Services: json and xml webservices shouldn't be accessible to portal sessions
-ActionHandlers: only the ones that are explicitly set to be accessible by portal should be executable
-Datasources: only the ones that are explicitly set to be accessible by portal should be executable. Specially default one used to retrieve grid data shouldn't be accessible
-Query List widget datasources: They should be accessible
Steps To Reproduce-
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to design defect 00235203.0MP23 closed alostale Restrict access to query list widgets 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2013-04-09 17:21alostaleNew Issue
2013-04-09 17:21alostaleAssigned To => alostale
2013-04-09 17:21alostaleModules => Core
2013-04-09 17:21alostaleOBNetwork customer => No
2013-04-09 17:21alostaleTriggers an Emergency Pack => No
2013-04-09 17:34alostaleReview Assigned To => AugustoMauch
2013-04-09 17:50alostaleRelationship addedrelated to 0023520
2013-04-15 13:49hgbotCheckin
2013-04-15 13:49hgbotNote Added: 0057898
2013-04-15 13:49hgbotStatusnew => resolved
2013-04-15 13:49hgbotResolutionopen => fixed
2013-04-15 13:49hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/46bf40360c734a9a94b4e8f9b8e25070bc241222 [^]
2013-04-15 13:50hgbotCheckin
2013-04-15 13:50hgbotNote Added: 0057900
2013-04-16 19:18hudsonbotCheckin
2013-04-16 19:18hudsonbotNote Added: 0057975
2013-04-16 19:18hudsonbotCheckin
2013-04-16 19:18hudsonbotNote Added: 0057977
2013-04-30 12:12AugustoMauchNote Added: 0058343
2013-04-30 12:12AugustoMauchStatusresolved => closed
2013-04-30 12:14AugustoMauchFixed in Version => 3.0MP23

Notes
(0057898)
hgbot   
2013-04-15 13:49   
Repository: erp/devel/pi
Changeset: 46bf40360c734a9a94b4e8f9b8e25070bc241222
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Tue Apr 09 17:45:00 2013 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/46bf40360c734a9a94b4e8f9b8e25070bc241222 [^]

fixed issue 23518: Restrict Access to Portal sessions

-Web Services: json and xml webservices shouldn't be accessible to portal sessions
-ActionHandlers: only the ones that are explicitly set to be accessible by portal should be executable
-Datasources: only the ones that are explicitly set to be accessible by portal should be executable. Specially default one used to retrieve grid data shouldn't be accessible
-Query List widget datasources: They should be accessible

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/AlertActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/HeartBeatPopupActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/LogOutActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/ParametersActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/StorePropertyActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/navigationbarcomponents/UserInfoWidgetActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/ImagesActionHandler.java
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java
M modules/org.openbravo.client.querylist/src/org/openbravo/client/querylist/QueryListDataSource.java
M modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DataSourceServlet.java
M modules/org.openbravo.service.json/src/org/openbravo/service/json/JsonRestServlet.java
M src/org/openbravo/dal/core/OBContext.java
M src/org/openbravo/service/web/BaseWebServiceServlet.java
---
(0057900)
hgbot   
2013-04-15 13:50   
Repository: erp/devel/pi
Changeset: 896e36129e9a302621e13fc1e8ef467af47b34c2
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Mon Apr 15 08:17:58 2013 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/896e36129e9a302621e13fc1e8ef467af47b34c2 [^]

related to issue 23518: added missing file

---
A src/org/openbravo/portal/PortalAccessible.java
---
(0057975)
hudsonbot   
2013-04-16 19:18   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/8df08bea850d [^]

Maturity status: Test
(0057977)
hudsonbot   
2013-04-16 19:18   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/8df08bea850d [^]

Maturity status: Test
(0058343)
AugustoMauch   
2013-04-30 12:12   
Code reviewed and verified in pi@a7efc1231554