Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0028842 | Openbravo ERP | A. Platform | public | 2015-02-03 12:41 | 2016-06-17 19:36 |
|
| Reporter | jecharri | |
| Assigned To | NaroaIriarte | |
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | 3.0PR15Q2 | |
| Merge Request Status | |
| Review Assigned To | AugustoMauch |
| OBNetwork customer | |
| Web browser | Google Chrome |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0028842: When you attach a file, the created record in table c_file has context organization instead of document organization |
| Description | When you attach a file, the created record in table c_file has context organization instead of document organization |
| Steps To Reproduce | -Login to ERP
-Your context should have "EspaƱa Norte" organization
-Go to window sales order and select an org with organization "F&B US East Coast"
-Attach a file
-Login with a role that only have access to "F&B US East Coast" verify that can not see attached file
The problem is that created record in table c_file has the context organization instead of document organization.
It could be necessary a modulescript |
| Proposed Solution | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | defect | 0029057 | | closed | AugustoMauch | When you create a note, the created record in table has context organization instead of document organization | | related to | defect | 0029064 | 3.0PR15Q3 | closed | NaroaIriarte | When you create a note, the created record in table obuiapp_note has context organization instead of document organization | | related to | defect | 0029313 | 3.0PR15Q2 | closed | alostale | Download attachments selecting several records is not working fine | | related to | defect | 0029326 | | closed | alostale | attachment download from multi record does not perform correct organization access check |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2015-02-03 12:41 | jecharri | New Issue | |
| 2015-02-03 12:41 | jecharri | Assigned To | => AugustoMauch |
| 2015-02-03 12:41 | jecharri | Web browser | => Google Chrome |
| 2015-02-03 12:41 | jecharri | Modules | => Core |
| 2015-02-03 12:41 | jecharri | Resolution time | => 1425510000 |
| 2015-02-03 12:41 | jecharri | Triggers an Emergency Pack | => No |
| 2015-02-04 03:54 | Guillaume_Jump | Note Added: 0074063 | |
| 2015-02-09 12:38 | alostale | Status | new => scheduled |
| 2015-02-09 12:38 | alostale | Assigned To | AugustoMauch => NaroaIriarte |
| 2015-02-09 12:38 | alostale | fix_in_branch | => pi |
| 2015-02-25 08:40 | alostale | Relationship added | related to 0029057 |
| 2015-02-25 13:15 | caristu | Relationship added | related to 0029064 |
| 2015-03-04 12:17 | AugustoMauch | Issue Monitored: AugustoMauch | |
| 2015-03-04 12:17 | AugustoMauch | Review Assigned To | => AugustoMauch |
| 2015-03-04 12:17 | AugustoMauch | Web browser | Google Chrome => Google Chrome |
| 2015-03-04 12:17 | AugustoMauch | fix_in_branch | pi => |
| 2015-03-04 12:18 | hgbot | Checkin | |
| 2015-03-04 12:18 | hgbot | Note Added: 0075150 | |
| 2015-03-04 12:18 | hgbot | Status | scheduled => resolved |
| 2015-03-04 12:18 | hgbot | Resolution | open => fixed |
| 2015-03-04 12:18 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/afec99f5af4390c1360af46f504bd7399f709f32 [^] |
| 2015-03-04 12:19 | AugustoMauch | Note Added: 0075151 | |
| 2015-03-04 12:19 | AugustoMauch | Status | resolved => closed |
| 2015-03-04 12:19 | AugustoMauch | Fixed in Version | => 3.0PR15Q2 |
| 2015-03-04 12:26 | AugustoMauch | Web browser | Google Chrome => Google Chrome |
| 2015-03-04 12:26 | AugustoMauch | Steps to Reproduce Updated | bug_revision_view_page.php?rev_id=7840#r7840 |
| 2015-03-04 12:27 | AugustoMauch | Note Added: 0075152 | |
| 2015-03-04 15:02 | hgbot | Checkin | |
| 2015-03-04 15:02 | hgbot | Note Added: 0075159 | |
| 2015-03-05 17:01 | hudsonbot | Checkin | |
| 2015-03-05 17:01 | hudsonbot | Note Added: 0075206 | |
| 2015-03-05 17:01 | hudsonbot | Checkin | |
| 2015-03-05 17:01 | hudsonbot | Note Added: 0075207 | |
| 2015-03-18 08:59 | alostale | Relationship added | related to 0024289 |
| 2015-03-18 08:59 | alostale | Relationship deleted | related to 0024289 |
| 2015-03-18 09:01 | alostale | Relationship added | related to 0029313 |
| 2015-03-18 09:19 | alostale | Relationship added | related to 0029326 |
| 2016-04-18 13:02 | hgbot | Checkin | |
| 2016-04-18 13:02 | hgbot | Note Added: 0085698 | |
| 2016-04-18 13:02 | hgbot | Status | closed => resolved |
| 2016-04-18 13:02 | hgbot | Fixed in SCM revision | http://code.openbravo.com/erp/devel/pi/rev/afec99f5af4390c1360af46f504bd7399f709f32 [^] => http://code.openbravo.com/erp/devel/pi/rev/98cf7142eebe2d555da6108bb5f51f68cc325afb [^] |
| 2016-04-18 13:02 | hgbot | Checkin | |
| 2016-04-18 13:02 | hgbot | Note Added: 0085699 | |
| 2016-04-19 09:54 | gorkaion | Note Added: 0085734 | |
| 2016-04-19 09:54 | gorkaion | Status | resolved => closed |
| 2016-06-17 19:36 | hudsonbot | Checkin | |
| 2016-06-17 19:36 | hudsonbot | Note Added: 0087457 | |
| 2016-06-17 19:36 | hudsonbot | Checkin | |
| 2016-06-17 19:36 | hudsonbot | Note Added: 0087458 | |
|
Notes |
|
|
|
Good Morning,
Doing more tests on that we found that the same problem also applies to Notes. |
|
|
|
(0075150)
|
|
hgbot
|
|
2015-03-04 12:18
|
|
Repository: erp/devel/pi
Changeset: afec99f5af4390c1360af46f504bd7399f709f32
Author: Naroa Iriarte <naroa.iriarte <at> openbravo.com>
Date: Thu Feb 26 13:45:06 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/afec99f5af4390c1360af46f504bd7399f709f32 [^]
Fixed issue 28842: There are problems to handle attachments.
There were two problems:
First: When storing an attachment in the database (c_file table), the current
organization of the user was used instead of the organization of the document where the
file is being attached to. The aim of this fix is to take the value of the organization
of the attached document instead of the current user organization.
Second: When an attachment was created with an organization and after that, the
organization of the document was changed, it was not possible to download it, update it nor delete
it with a user who does not have access to the organization used to create the attachment.
To fix the first part, a new field that stores the document organization has been added to the canvas
of the OBAttachmentsSectionItem class in the fillAttachments function. After that the
field is sent as a param in the request, and can be used in the TabAttachments.java class
to be included to create the new record in c_file.
To fix the second part, the way the attachments are retrieved in the TabAttachments and in the
AttachmentsAH classes has been modified. Now the automated organization filter is disabled,
so the organization of the attachment is not taken into accout. It is needed that the user has at
least readable access to the document's organization for downloading, deleting or editing its attachments
a new method has been added to the SecurityChecker class for checking this.
---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/AttachmentsAH.java
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-attachments.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-linked-items.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form.js
M src/org/openbravo/dal/security/SecurityChecker.java
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
|
|
|
|
|
|
Code reviewed and verified in pi@afec99f5af43 |
|
|
|
|
A module script was not needed, as now the organization of the attachment (which was the data that would have been needed to be corrected in the modulescript) is not taken into accout to interact (download, edit, remove) with an attachment.
Now, if a user has access to the document where the files are attached to, it will have access to all its attachments. |
|
|
|
(0075159)
|
|
hgbot
|
|
2015-03-04 15:02
|
|
|
|
|
|
|
|
|
|
|
|
|
(0085698)
|
|
hgbot
|
|
2016-04-18 13:02
|
|
Repository: erp/devel/pi
Changeset: 98cf7142eebe2d555da6108bb5f51f68cc325afb
Author: Naroa Iriarte <naroa.iriarte <at> openbravo.com>
Date: Thu Feb 26 13:45:06 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/98cf7142eebe2d555da6108bb5f51f68cc325afb [^]
Fixed issue 28842: There are problems to handle attachments.
There were two problems:
First: When storing an attachment in the database (c_file table), the current
organization of the user was used instead of the organization of the document where the
file is being attached to. The aim of this fix is to take the value of the organization
of the attached document instead of the current user organization.
Second: When an attachment was created with an organization and after that, the
organization of the document was changed, it was not possible to download it, update it nor delete
it with a user who does not have access to the organization used to create the attachment.
To fix the first part, a new field that stores the document organization has been added to the canvas
of the OBAttachmentsSectionItem class in the fillAttachments function. After that the
field is sent as a param in the request, and can be used in the TabAttachments.java class
to be included to create the new record in c_file.
To fix the second part, the way the attachments are retrieved in the TabAttachments and in the
AttachmentsAH classes has been modified. Now the automated organization filter is disabled,
so the organization of the attachment is not taken into accout. It is needed that the user has at
least readable access to the document's organization for downloading, deleting or editing its attachments
a new method has been added to the SecurityChecker class for checking this.
---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/AttachmentsAH.java
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-attachments.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-linked-items.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form.js
M src/org/openbravo/dal/security/SecurityChecker.java
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
|
|
|
|
(0085699)
|
|
hgbot
|
|
2016-04-18 13:02
|
|
|
|
|
|
|
issue reopened by attachment enhancement project merge. checked that it is not reproduced. |
|
|
|
|
|
|
|
|
|