Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0027953Openbravo ERP09. Financial managementpublic2014-10-22 18:512015-03-13 03:18
Reportervmromanos 
Assigned Tojorge-garcia 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Versionpi 
Target VersionFixed in Version 
Merge Request Status
Review Assigned Toaferraz
OBNetwork customerOBPS
Web browser
ModulesCore
Support ticket32325
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0027953: AccessibleOrgTree wrongly used in some reports may create security issues
DescriptionIn many manual reports the organization combo is filled using:

 ComboTableData comboTableData = new ComboTableData(vars, this, "TABLEDIR", "AD_ORG_ID", "",
          "", Utility.getContext(this, vars, "#AccessibleOrgTree", "XXXX"),
          Utility.getContext(this, vars, "#User_Client", "XXXX"), '*');

The "#AccessibleOrgTree" context gets the list of all the granted organizations, their ancestors and their descendants organizations.

For example, imagine our role only has access to "F&B España - Región Norte", that means that the #AccessibleOrgTree will be: F&B España - Región Norte, F&B España, F&B International Group and 0.

If we try to launch any of the reports affected by this bug, we will be able to select any parent organization, thus reading all the information available at that level, although our role doesn't have access to this organization.

This is an important security issue that may heavily affect organization structures where this information should be confidential.


The list of reports might be very big and we should review all of them, not only the Core's one but the module's reports too.
Here is a list of reports that might be affected (note that this list is not complete!):

src/org/openbravo/erpCommon/ad_reports/GeneralAccountingReports.java src/org/openbravo/erpCommon/ad_reports/MInOutTraceReports.java src/org/openbravo/erpCommon/ad_reports/ReportAccountingCountDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java src/org/openbravo/erpCommon/ad_reports/ReportBank.java src/org/openbravo/erpCommon/ad_reports/ReportBankJR.java src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java src/org/openbravo/erpCommon/ad_reports/ReportCash.java src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java src/org/openbravo/erpCommon/ad_reports/ReportCashJR.java src/org/openbravo/erpCommon/ad_reports/ReportCashflowForecast.java src/org/openbravo/erpCommon/ad_reports/ReportDebtPayment.java src/org/openbravo/erpCommon/ad_reports/ReportDebtPaymentTrack.java src/org/openbravo/erpCommon/ad_reports/ReportExpense.java src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedger.java src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedgerJournal.java src/org/openbravo/erpCommon/ad_reports/ReportGuaranteeDateJR.java src/org/openbravo/erpCommon/ad_reports/ReportInventory.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerEdition.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscount.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscountJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceVendorDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceVendorJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoices.java src/org/openbravo/erpCommon/ad_reports/ReportInvoicesJR.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialTransactionEdition.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialTransactionEditionJR.java src/org/openbravo/erpCommon/ad_reports/ReportOffer.java src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java src/org/openbravo/erpCommon/ad_reports/ReportPendingProductionJr.java src/org/openbravo/erpCommon/ad_reports/ReportPricelist.java src/org/openbravo/erpCommon/ad_reports/ReportProductMovement.java src/org/openbravo/erpCommon/ad_reports/ReportProduction.java src/org/openbravo/erpCommon/ad_reports/ReportProductionCost.java src/org/openbravo/erpCommon/ad_reports/ReportProductionJR.java src/org/openbravo/erpCommon/ad_reports/ReportProductionRunJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSite.java src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSiteJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectProgress.java src/org/openbravo/erpCommon/ad_reports/ReportPurchaseDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportRefundInvoiceCustomerDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportSalesDimensionalAnalyzeJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderInvoicedJasper.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderOpenItem.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderOpenItemJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderProvidedJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipmentEditionJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipper.java src/org/openbravo/erpCommon/ad_reports/ReportStandardCostJR.java src/org/openbravo/erpCommon/ad_reports/ReportToInvoiceConsignment.java src/org/openbravo/erpCommon/ad_reports/ReportToInvoiceConsignmentJR.java src/org/openbravo/erpCommon/ad_reports/ReportTotalProductTemplate.java src/org/openbravo/erpCommon/ad_reports/ReportTrialBalance.java src/org/openbravo/erpCommon/ad_reports/ReportTrialBalanceDetail.java src/org/openbravo/erpCommon/ad_reports/ReportValuationStock.java src/org/openbravo/erpCommon/ad_reports/ReportWarehouseControl.java src/org/openbravo/erpCommon/ad_reports/ReportWarehouseDetailInventoryJR.java src/org/openbravo/erpCommon/ad_reports/ReportWarehousePartnerJR.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementDaily.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementDailyEnv.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementJR.java
Steps To Reproduce1. Access Role window and edit "F&B España, S.A - Procurement" role to set it as "User level= Organization"
2. Go to "Org Access" tab and delete records for "España" and "España sur" so role only has access to "España Norte" organization
3. Log out and log in again with "F&B España, S.A - Procurement" role
4. Go to "Purchase Dimensional Report" (which is one of the affected reports) and realize that in Organization combo you are able to see more organizations than "España Norte".
5. Set * organization and run report. Realize that data from other organizations is considered
Proposed SolutionUse #User_Org instead, which contains the organizations that are granted by the role:


ComboTableData comboTableData = new ComboTableData(vars, this, "TABLEDIR", "AD_ORG_ID", "",
          "", Utility.getContext(this, vars, "#User_Org", "XXXX"),
          Utility.getContext(this, vars, "#User_Client", "XXXX"), '*');
Additional Information
TagsNo tags attached.
Relationships
related to design defect 0027459 scheduled reinaldoguerra Data from non-accessible organizations is obtained in Multidimensional reports 
caused by defect 0006199 closed alostale Role with Organisation access can't fill out many required combos 
related to defect 00286753.0PR15Q2 closed reinaldoguerra AccessibleOrgTree wrongly used in some reports 
related to defect 00307813.0PR15Q4 closed vmromanos Define new preference to be able to not include * organization when using #User_Org variable 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2014-10-22 18:51vmromanosNew Issue
2014-10-22 18:51vmromanosAssigned To => dmiguelez
2014-10-22 18:51vmromanosOBNetwork customer => No
2014-10-22 18:51vmromanosModules => Core
2014-10-22 18:51vmromanosTriggers an Emergency Pack => No
2014-10-22 18:52vmromanosRelationship addedcaused by 0006199
2014-10-22 18:52vmromanosRelationship addedrelated to 0027459
2014-11-10 19:06ngarciaIssue Monitored: ngarcia
2014-11-12 13:39ngarciaNote Added: 0071608
2014-11-18 19:12jonalegriaesarteOBNetwork customerNo => Yes
2014-11-18 19:12jonalegriaesarteSupport ticket => 32325
2014-11-18 19:12jonalegriaesarteResolution time => 1418943600
2014-12-22 16:48shuehnerIssue Monitored: shuehner
2015-01-19 13:21SandrahuguetRelationship addedrelated to 0028675
2015-02-11 16:44SandrahuguetAssigned Todmiguelez => jorge-garcia
2015-02-18 11:56SandrahuguetStatusnew => scheduled
2015-02-18 11:56Sandrahuguetfix_in_branch => pi
2015-02-26 08:48SandrahuguetReview Assigned To => aferraz
2015-02-26 08:48Sandrahuguetfix_in_branchpi =>
2015-03-03 13:34jorge-garciaNote Added: 0075117
2015-03-04 15:01psanjuanNote Edited: 0075117bug_revision_view_page.php?bugnote_id=0075117#r7844
2015-03-05 11:02psanjuanNote Edited: 0075117bug_revision_view_page.php?bugnote_id=0075117#r7861
2015-03-12 13:41hgbotCheckin
2015-03-12 13:41hgbotNote Added: 0075486
2015-03-12 13:41hgbotStatusscheduled => resolved
2015-03-12 13:41hgbotResolutionopen => fixed
2015-03-12 13:41hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/e5cd53fc814121bab1e327289c7636253b4f90b9 [^]
2015-03-12 13:41hgbotCheckin
2015-03-12 13:41hgbotNote Added: 0075487
2015-03-12 13:42aferrazNote Added: 0075488
2015-03-12 13:42aferrazStatusresolved => closed
2015-03-13 03:18hudsonbotCheckin
2015-03-13 03:18hudsonbotNote Added: 0075514
2015-03-13 03:18hudsonbotCheckin
2015-03-13 03:18hudsonbotNote Added: 0075515
2015-09-07 14:11vmromanosRelationship addedrelated to 0030781

Notes
(0071608)
ngarcia   
2014-11-12 13:39   
It also happens in transactional windows
(0075117)
jorge-garcia   
2015-03-03 13:34   
(edited on: 2015-03-05 11:02)
Test Plan General:
Remember to change the User Level = 'Organization' and delete some Org Access lines in the Role window for the used roles.

1) Test Plan 1: Asset report for depreciation schedule
As F&B España, S.A - Finance
Go to Asset Report for Deprecation Schedule.
 See that in the Organization combo only logged role's organization are available.
Click on Search button and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.

2) Test Plan 2: Invoice Taxes Report
As System Administrator:
Go to Process and Reports Window and activate this report
Go to Menu and activate Invoice Taxes Report menu
As F&B España, S.A - Finance
Go to Invoice Taxes Report and fill the mandatory filters.
 From Date: 01-01-2014
 To Date: 31-12-2014
Click on HTML Format and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.

3) Test Plan 3: Pareto Product Report
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Pareto Product Report

With the selected Role
Go to Pareto Product Report and fill the mandatory filters.
 Currency: Currency of the report
 Warehouse: Warehouse of the selected organization
Click on Search and realize that only data from selected organizations and warehouse is considered.

4) Test Plan 4: Create Budget Reports in Excel
As F&B España, S.A - Finance
Go to Create Budget Reports in Excel and fill the mandatory filters.
 General Ledger: F&B España, S.A. US/A/Euro
 Account Element: any
Realize that only organizations from the logged role appears in the Trx organization combo .Click on Generate Excel.

5) Test Plan 5: Payment Aging Balance
/* Optional*/ Former report.
As System Administrator,
Go to Report and Process window and activate the Payment Aging Balance Report
Go to the Menu window and activate the Payment Aging Balance menu

As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Payment Aging Balance report

With the selected role realize that only organizations from the logged role appears in the Organization list.

6) Test Plan 6: Sales Order Returns dimensional Report
As System Administrator,
Go to Report and Process window and activate the Sales Order Returns Dimensional Report
Go to the Menu window and activate the Sales Order Returns Dimensional Report if it's not active yet

As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Sales Order Returns Dimensional report

With the selected Role
Go to Sales Order Returns Dimensional Report and fill the mandatory filters.
 From Date: 01-01-2011
 To Date: 31-03-2011
See that in the Organization combo only logged role's organization are available.

7) Test Plan 7: Orders Awaiting Invoice Report
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Orders Awaiting Invoice report

With the selected role
Go to Orders Awaiting Invoice Report and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.

8) Test Plan 8: Shipments Dimensional Report
As F&B España, S.A - Finance
Go to Shipments Dimensional Report and fill the mandatory filters.
 From Date: 01-02-2011
 To Date: 31-02-2011
 See that in the Organization combo only logged role's organization are available.
Click on HTML Format and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.

9) Test Plan 9: Project Profitability
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Project Profitability

With the selected role
Go to Project Profitability and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.

10) Test Plan 10: Withholding Report
As System Administrator,
Go to Report and Process window and activate the Withholding Report
Go to the Menu window and activate the Withholding Report if it's not active yet

As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Withholding Report

With the selected Role
Go to Withholding Report and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.

11) Test Plan 11: Goods Receipts Dimensional Report
As F&B España, S.A - Finance
Go to Goods Receipts Dimensional Report and fill the mandatory filters.
 From Date: 01-02-2011
 To Date: 31-03-2011
 See that in the Organization combo only logged role's organization are available.

12) Test Plan 12: Sales Invoice Dimensional Report
As F&B España, S.A - Finance
Go to Sales Invoice Dimensional Report and fill the mandatory filters.
 From Date: 01-02-2011
 To Date: 31-03-2011
 See that in the Organization combo only logged role's organization are available.

13) Test Plan 13: Orders Awaiting Delivery Report
As F&B España S.A. - Warehouse
Go to Orders Awaiting Delivery Report
See that in the Organization combo only logged role's organization are available.
Click on PDF format button and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.
(0075486)
hgbot   
2015-03-12 13:41   
Repository: erp/devel/pi
Changeset: e5cd53fc814121bab1e327289c7636253b4f90b9
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Tue Feb 17 12:33:34 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/e5cd53fc814121bab1e327289c7636253b4f90b9 [^]

Fixed issue 27953 AccessibleOrgTree wrongly used in some reports

In many manual reports the organization combo is filled using:

ComboTableData comboTableData = new ComboTableData(vars, this,
  "TABLEDIR", "AD_ORG_ID", "", "", Utility.getContext(this, vars,
  "#AccessibleOrgTree", "XXXX"), Utility.getContext(this, vars,
  "#User_Client", "XXXX"), '*');

“#AccessibleOrgTree” context gets the list of all the granted organizations,
their ancestors and their descendants organizations. It's necessary to use
“#User_Org” instead, which contains the organizations that are granted
by the role:

ComboTableData comboTableData = new ComboTableData(vars, this,
  "TABLEDIR", "AD_ORG_ID", "", "", Utility.getContext(this, vars,
  "#User_Org", "XXXX"), Utility.getContext(this, vars,
  "#User_Client", "XXXX"), '*');

Reports from these folders had been checked:
src/org/openbravo/erpCommon/ad_reports
src/org/openbravo/erpReports

Files affected by this issue had been changed and tried

---
M modules/org.openbravo.reports.ordersawaitingdelivery/src/org/openbravo/reports/ordersawaitingdelivery/erpCommon/ad_reports/ReportOrderNotShipped.java
M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java
M src/org/openbravo/erpCommon/ad_reports/ReportAssetDepreciationSchedule.java
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
M src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportTaxInvoiceJR.java
---
(0075487)
hgbot   
2015-03-12 13:41   
Repository: erp/devel/pi
Changeset: 9e165ce2e31193b859c04864358d30bbfb6f040d
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Tue Mar 03 12:04:20 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/9e165ce2e31193b859c04864358d30bbfb6f040d [^]

Related to issue 27953: Updated Copyright

Updated Copyright dates

---
M modules/org.openbravo.reports.ordersawaitingdelivery/src/org/openbravo/reports/ordersawaitingdelivery/erpCommon/ad_reports/ReportOrderNotShipped.java
M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java
M src/org/openbravo/erpCommon/ad_reports/ReportAssetDepreciationSchedule.java
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
M src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java
M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportTaxInvoiceJR.java
---
(0075488)
aferraz   
2015-03-12 13:42   
Code review + Testing OK
(0075514)
hudsonbot   
2015-03-13 03:18   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/6f599d5217c4 [^]
Maturity status: Test
(0075515)
hudsonbot   
2015-03-13 03:18   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/6f599d5217c4 [^]
Maturity status: Test