Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0029175Openbravo ERP09. Financial managementpublic2015-03-06 14:512015-03-12 07:45
Reporterjonalegriaesarte 
Assigned ToAugustoMauch 
PriorityhighSeveritymajorReproducibilityhave not tried
StatusacknowledgedResolutionopen 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0029175: Account selector in General ledger report can not be used depending on the permissions to the role
DescriptionAccount selector in General ledger report can not be used depending on the permissions to the role. This makes the report not usable
Steps To Reproduce- Create a testing role, set as manual
- Provide access to org F&B EspaƱa, user Openbravo and General ledger report
- Logout and login using the new role
- Access to report and try to use the selector. System provides an error.
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to design defect 0029231 new Triage Platform Base Define createLinesFrom process and posted process as an OB standard process. 
depends on backport 00292133.0PR15Q3 closed AugustoMauch Account selector in General ledger report can not be used depending on the permissions to the role 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2015-03-06 14:51jonalegriaesarteNew Issue
2015-03-06 14:51jonalegriaesarteAssigned To => Sandrahuguet
2015-03-06 14:51jonalegriaesarteModules => Core
2015-03-06 14:51jonalegriaesarteResolution time => 1427238000
2015-03-06 14:51jonalegriaesarteTriggers an Emergency Pack => No
2015-03-10 11:06jorge-garciaStatusnew => scheduled
2015-03-10 11:06jorge-garciaAssigned ToSandrahuguet => jorge-garcia
2015-03-11 13:34vmromanosAssigned Tojorge-garcia => AugustoMauch
2015-03-11 13:34vmromanosNote Added: 0075445
2015-03-12 07:37alostaleRelationship addedrelated to 0029231
2015-03-12 07:45alostaleResolution time1427238000 =>
2015-03-12 07:45alostaleNote Added: 0075467
2015-03-12 07:45alostaleStatusscheduled => acknowledged
2015-03-12 07:45alostaleTypedefect => design defect
2015-03-12 07:45alostaleTarget Version3.0PR15Q3 =>

Notes
(0075445)
vmromanos   
2015-03-11 13:34   
Forward to platform:

Problem found in HttpSecureAppServlet.java, method hasGeneralAccess().

The SeguridadData.selectAccessSearch() query only takes into account Windows, but this is a Report, so no ad_window_access is found.

Proposed solution: Query should be changed, or alternatively hack in hasAccess() method to control that situation.



Note that other selectors (Multiple Business Partner, Project, etc.) show data in this scenario, so this selector must have the same logic.
(0075467)
alostale   
2015-03-12 07:45   
Moving to design defect: similar case than 0029213 regarding defects in the design of 2.50 components securization.

Accessibility for 2.50 selectors is granted only if the selector is used in any of the windows accessible with the current role. This cannot be implemented for manual reports because they don't define in AD which are the references they use as parameter. This is the case of the account selector.

Multiple selectors are not considered in this sense as selectors because they are not defined in AD as reference because they can't be used in standard windows. Therefore they're directly defined as "AD Implementation Mapping", in this case the only initial restriction to get access is to be logged in the application but other security rules, if any, must be implemented by the servlet.