Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0027953 | Openbravo ERP | 09. Financial management | public | 2014-10-22 18:51 | 2015-03-13 03:18 |
|
| Reporter | vmromanos | |
| Assigned To | jorge-garcia | |
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | pi | |
| Target Version | | Fixed in Version | | |
| Merge Request Status | |
| Review Assigned To | aferraz |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0027953: AccessibleOrgTree wrongly used in some reports may create security issues |
| Description | In many manual reports the organization combo is filled using:
ComboTableData comboTableData = new ComboTableData(vars, this, "TABLEDIR", "AD_ORG_ID", "",
"", Utility.getContext(this, vars, "#AccessibleOrgTree", "XXXX"),
Utility.getContext(this, vars, "#User_Client", "XXXX"), '*');
The "#AccessibleOrgTree" context gets the list of all the granted organizations, their ancestors and their descendants organizations.
For example, imagine our role only has access to "F&B España - Región Norte", that means that the #AccessibleOrgTree will be: F&B España - Región Norte, F&B España, F&B International Group and 0.
If we try to launch any of the reports affected by this bug, we will be able to select any parent organization, thus reading all the information available at that level, although our role doesn't have access to this organization.
This is an important security issue that may heavily affect organization structures where this information should be confidential.
The list of reports might be very big and we should review all of them, not only the Core's one but the module's reports too.
Here is a list of reports that might be affected (note that this list is not complete!):
src/org/openbravo/erpCommon/ad_reports/GeneralAccountingReports.java src/org/openbravo/erpCommon/ad_reports/MInOutTraceReports.java src/org/openbravo/erpCommon/ad_reports/ReportAccountingCountDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java src/org/openbravo/erpCommon/ad_reports/ReportBank.java src/org/openbravo/erpCommon/ad_reports/ReportBankJR.java src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java src/org/openbravo/erpCommon/ad_reports/ReportCash.java src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java src/org/openbravo/erpCommon/ad_reports/ReportCashJR.java src/org/openbravo/erpCommon/ad_reports/ReportCashflowForecast.java src/org/openbravo/erpCommon/ad_reports/ReportDebtPayment.java src/org/openbravo/erpCommon/ad_reports/ReportDebtPaymentTrack.java src/org/openbravo/erpCommon/ad_reports/ReportExpense.java src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedger.java src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedgerJournal.java src/org/openbravo/erpCommon/ad_reports/ReportGuaranteeDateJR.java src/org/openbravo/erpCommon/ad_reports/ReportInventory.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerEdition.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscount.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscountJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceVendorDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceVendorJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoices.java src/org/openbravo/erpCommon/ad_reports/ReportInvoicesJR.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialTransactionEdition.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialTransactionEditionJR.java src/org/openbravo/erpCommon/ad_reports/ReportOffer.java src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java src/org/openbravo/erpCommon/ad_reports/ReportPendingProductionJr.java src/org/openbravo/erpCommon/ad_reports/ReportPricelist.java src/org/openbravo/erpCommon/ad_reports/ReportProductMovement.java src/org/openbravo/erpCommon/ad_reports/ReportProduction.java src/org/openbravo/erpCommon/ad_reports/ReportProductionCost.java src/org/openbravo/erpCommon/ad_reports/ReportProductionJR.java src/org/openbravo/erpCommon/ad_reports/ReportProductionRunJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSite.java src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSiteJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectProgress.java src/org/openbravo/erpCommon/ad_reports/ReportPurchaseDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportRefundInvoiceCustomerDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportSalesDimensionalAnalyzeJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderInvoicedJasper.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderOpenItem.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderOpenItemJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderProvidedJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipmentEditionJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipper.java src/org/openbravo/erpCommon/ad_reports/ReportStandardCostJR.java src/org/openbravo/erpCommon/ad_reports/ReportToInvoiceConsignment.java src/org/openbravo/erpCommon/ad_reports/ReportToInvoiceConsignmentJR.java src/org/openbravo/erpCommon/ad_reports/ReportTotalProductTemplate.java src/org/openbravo/erpCommon/ad_reports/ReportTrialBalance.java src/org/openbravo/erpCommon/ad_reports/ReportTrialBalanceDetail.java src/org/openbravo/erpCommon/ad_reports/ReportValuationStock.java src/org/openbravo/erpCommon/ad_reports/ReportWarehouseControl.java src/org/openbravo/erpCommon/ad_reports/ReportWarehouseDetailInventoryJR.java src/org/openbravo/erpCommon/ad_reports/ReportWarehousePartnerJR.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementDaily.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementDailyEnv.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementJR.java |
| Steps To Reproduce | 1. Access Role window and edit "F&B España, S.A - Procurement" role to set it as "User level= Organization"
2. Go to "Org Access" tab and delete records for "España" and "España sur" so role only has access to "España Norte" organization
3. Log out and log in again with "F&B España, S.A - Procurement" role
4. Go to "Purchase Dimensional Report" (which is one of the affected reports) and realize that in Organization combo you are able to see more organizations than "España Norte".
5. Set * organization and run report. Realize that data from other organizations is considered |
| Proposed Solution | Use #User_Org instead, which contains the organizations that are granted by the role:
ComboTableData comboTableData = new ComboTableData(vars, this, "TABLEDIR", "AD_ORG_ID", "",
"", Utility.getContext(this, vars, "#User_Org", "XXXX"),
Utility.getContext(this, vars, "#User_Client", "XXXX"), '*'); |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | design defect | 0027459 | | scheduled | reinaldoguerra | Data from non-accessible organizations is obtained in Multidimensional reports | | caused by | defect | 0006199 | | closed | alostale | Role with Organisation access can't fill out many required combos | | related to | defect | 0028675 | 3.0PR15Q2 | closed | reinaldoguerra | AccessibleOrgTree wrongly used in some reports | | related to | defect | 0030781 | 3.0PR15Q4 | closed | vmromanos | Define new preference to be able to not include * organization when using #User_Org variable |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2014-10-22 18:51 | vmromanos | New Issue | |
| 2014-10-22 18:51 | vmromanos | Assigned To | => dmiguelez |
| 2014-10-22 18:51 | vmromanos | Modules | => Core |
| 2014-10-22 18:51 | vmromanos | Triggers an Emergency Pack | => No |
| 2014-10-22 18:52 | vmromanos | Relationship added | caused by 0006199 |
| 2014-10-22 18:52 | vmromanos | Relationship added | related to 0027459 |
| 2014-11-10 19:06 | ngarcia | Issue Monitored: ngarcia | |
| 2014-11-12 13:39 | ngarcia | Note Added: 0071608 | |
| 2014-11-18 19:12 | jonalegriaesarte | Resolution time | => 1418943600 |
| 2014-12-22 16:48 | shuehner | Issue Monitored: shuehner | |
| 2015-01-19 13:21 | Sandrahuguet | Relationship added | related to 0028675 |
| 2015-02-11 16:44 | Sandrahuguet | Assigned To | dmiguelez => jorge-garcia |
| 2015-02-18 11:56 | Sandrahuguet | Status | new => scheduled |
| 2015-02-18 11:56 | Sandrahuguet | fix_in_branch | => pi |
| 2015-02-26 08:48 | Sandrahuguet | Review Assigned To | => aferraz |
| 2015-02-26 08:48 | Sandrahuguet | fix_in_branch | pi => |
| 2015-03-03 13:34 | jorge-garcia | Note Added: 0075117 | |
| 2015-03-04 15:01 | psanjuan | Note Edited: 0075117 | bug_revision_view_page.php?bugnote_id=0075117#r7844 |
| 2015-03-05 11:02 | psanjuan | Note Edited: 0075117 | bug_revision_view_page.php?bugnote_id=0075117#r7861 |
| 2015-03-12 13:41 | hgbot | Checkin | |
| 2015-03-12 13:41 | hgbot | Note Added: 0075486 | |
| 2015-03-12 13:41 | hgbot | Status | scheduled => resolved |
| 2015-03-12 13:41 | hgbot | Resolution | open => fixed |
| 2015-03-12 13:41 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/e5cd53fc814121bab1e327289c7636253b4f90b9 [^] |
| 2015-03-12 13:41 | hgbot | Checkin | |
| 2015-03-12 13:41 | hgbot | Note Added: 0075487 | |
| 2015-03-12 13:42 | aferraz | Note Added: 0075488 | |
| 2015-03-12 13:42 | aferraz | Status | resolved => closed |
| 2015-03-13 03:18 | hudsonbot | Checkin | |
| 2015-03-13 03:18 | hudsonbot | Note Added: 0075514 | |
| 2015-03-13 03:18 | hudsonbot | Checkin | |
| 2015-03-13 03:18 | hudsonbot | Note Added: 0075515 | |
| 2015-09-07 14:11 | vmromanos | Relationship added | related to 0030781 |
|
Notes |
|
|
|
|
It also happens in transactional windows |
|
|
|
(0075117)
|
|
jorge-garcia
|
2015-03-03 13:34
(edited on: 2015-03-05 11:02) |
|
Test Plan General:
Remember to change the User Level = 'Organization' and delete some Org Access lines in the Role window for the used roles.
1) Test Plan 1: Asset report for depreciation schedule
As F&B España, S.A - Finance
Go to Asset Report for Deprecation Schedule.
See that in the Organization combo only logged role's organization are available.
Click on Search button and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.
2) Test Plan 2: Invoice Taxes Report
As System Administrator:
Go to Process and Reports Window and activate this report
Go to Menu and activate Invoice Taxes Report menu
As F&B España, S.A - Finance
Go to Invoice Taxes Report and fill the mandatory filters.
From Date: 01-01-2014
To Date: 31-12-2014
Click on HTML Format and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.
3) Test Plan 3: Pareto Product Report
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Pareto Product Report
With the selected Role
Go to Pareto Product Report and fill the mandatory filters.
Currency: Currency of the report
Warehouse: Warehouse of the selected organization
Click on Search and realize that only data from selected organizations and warehouse is considered.
4) Test Plan 4: Create Budget Reports in Excel
As F&B España, S.A - Finance
Go to Create Budget Reports in Excel and fill the mandatory filters.
General Ledger: F&B España, S.A. US/A/Euro
Account Element: any
Realize that only organizations from the logged role appears in the Trx organization combo .Click on Generate Excel.
5) Test Plan 5: Payment Aging Balance
/* Optional*/ Former report.
As System Administrator,
Go to Report and Process window and activate the Payment Aging Balance Report
Go to the Menu window and activate the Payment Aging Balance menu
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Payment Aging Balance report
With the selected role realize that only organizations from the logged role appears in the Organization list.
6) Test Plan 6: Sales Order Returns dimensional Report
As System Administrator,
Go to Report and Process window and activate the Sales Order Returns Dimensional Report
Go to the Menu window and activate the Sales Order Returns Dimensional Report if it's not active yet
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Sales Order Returns Dimensional report
With the selected Role
Go to Sales Order Returns Dimensional Report and fill the mandatory filters.
From Date: 01-01-2011
To Date: 31-03-2011
See that in the Organization combo only logged role's organization are available.
7) Test Plan 7: Orders Awaiting Invoice Report
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Orders Awaiting Invoice report
With the selected role
Go to Orders Awaiting Invoice Report and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.
8) Test Plan 8: Shipments Dimensional Report
As F&B España, S.A - Finance
Go to Shipments Dimensional Report and fill the mandatory filters.
From Date: 01-02-2011
To Date: 31-02-2011
See that in the Organization combo only logged role's organization are available.
Click on HTML Format and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.
9) Test Plan 9: Project Profitability
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Project Profitability
With the selected role
Go to Project Profitability and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.
10) Test Plan 10: Withholding Report
As System Administrator,
Go to Report and Process window and activate the Withholding Report
Go to the Menu window and activate the Withholding Report if it's not active yet
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Withholding Report
With the selected Role
Go to Withholding Report and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.
11) Test Plan 11: Goods Receipts Dimensional Report
As F&B España, S.A - Finance
Go to Goods Receipts Dimensional Report and fill the mandatory filters.
From Date: 01-02-2011
To Date: 31-03-2011
See that in the Organization combo only logged role's organization are available.
12) Test Plan 12: Sales Invoice Dimensional Report
As F&B España, S.A - Finance
Go to Sales Invoice Dimensional Report and fill the mandatory filters.
From Date: 01-02-2011
To Date: 31-03-2011
See that in the Organization combo only logged role's organization are available.
13) Test Plan 13: Orders Awaiting Delivery Report
As F&B España S.A. - Warehouse
Go to Orders Awaiting Delivery Report
See that in the Organization combo only logged role's organization are available.
Click on PDF format button and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.
|
|
|
|
(0075486)
|
|
hgbot
|
|
2015-03-12 13:41
|
|
Repository: erp/devel/pi
Changeset: e5cd53fc814121bab1e327289c7636253b4f90b9
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Tue Feb 17 12:33:34 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/e5cd53fc814121bab1e327289c7636253b4f90b9 [^]
Fixed issue 27953 AccessibleOrgTree wrongly used in some reports
In many manual reports the organization combo is filled using:
ComboTableData comboTableData = new ComboTableData(vars, this,
"TABLEDIR", "AD_ORG_ID", "", "", Utility.getContext(this, vars,
"#AccessibleOrgTree", "XXXX"), Utility.getContext(this, vars,
"#User_Client", "XXXX"), '*');
“#AccessibleOrgTree” context gets the list of all the granted organizations,
their ancestors and their descendants organizations. It's necessary to use
“#User_Org” instead, which contains the organizations that are granted
by the role:
ComboTableData comboTableData = new ComboTableData(vars, this,
"TABLEDIR", "AD_ORG_ID", "", "", Utility.getContext(this, vars,
"#User_Org", "XXXX"), Utility.getContext(this, vars,
"#User_Client", "XXXX"), '*');
Reports from these folders had been checked:
src/org/openbravo/erpCommon/ad_reports
src/org/openbravo/erpReports
Files affected by this issue had been changed and tried
---
M modules/org.openbravo.reports.ordersawaitingdelivery/src/org/openbravo/reports/ordersawaitingdelivery/erpCommon/ad_reports/ReportOrderNotShipped.java
M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java
M src/org/openbravo/erpCommon/ad_reports/ReportAssetDepreciationSchedule.java
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
M src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportTaxInvoiceJR.java
---
|
|
|
|
(0075487)
|
|
hgbot
|
|
2015-03-12 13:41
|
|
Repository: erp/devel/pi
Changeset: 9e165ce2e31193b859c04864358d30bbfb6f040d
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Tue Mar 03 12:04:20 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/9e165ce2e31193b859c04864358d30bbfb6f040d [^]
Related to issue 27953: Updated Copyright
Updated Copyright dates
---
M modules/org.openbravo.reports.ordersawaitingdelivery/src/org/openbravo/reports/ordersawaitingdelivery/erpCommon/ad_reports/ReportOrderNotShipped.java
M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java
M src/org/openbravo/erpCommon/ad_reports/ReportAssetDepreciationSchedule.java
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
M src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java
M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportTaxInvoiceJR.java
---
|
|
|
|
|
|
|
|
|
|
|
|
|
|