Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0029326Openbravo ERPA. Platformpublic2015-03-18 09:182015-03-20 12:35
Reporteralostale 
Assigned Toalostale 
PriorityurgentSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version3.0PR15Q2 
Merge Request Status
Review Assigned ToAugustoMauch
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0029326: attachment download from multi record does not perform correct organization access check
DescriptionWhen downloading attachments the attachment's record's organization is checked to guarantee current user has access to it. Note this is done a extra security check to prevent direct requests to ungranted records but it is not possible to do it from UI.

This check is not correctly done when downloading attachments from different records at once.
Steps To ReproduceIt can't be reproduced from UI.

Two ways:
1. Generate a request to download attachments from multiple records, being at least one of them in an organization the current session doesn't have access to.
  --> ERROR: it is allowed but it shouldn't
2. Debug org.openbravo.erpCommon.businessUtility.TabAttachments.printPageFileMultiple and download attachments from several records at once.
  --> ERROR: SecurityChecker is bypassed because object is null in this code
        if (object instanceof OrganizationEnabled) {
          SecurityChecker.getInstance().checkReadableAccess((OrganizationEnabled) object);
        }
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to defect 0028842 closed NaroaIriarte When you attach a file, the created record in table c_file has context organization instead of document organization 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2015-03-18 09:18alostaleNew Issue
2015-03-18 09:18alostaleAssigned To => platform
2015-03-18 09:18alostaleOBNetwork customer => No
2015-03-18 09:18alostaleModules => Core
2015-03-18 09:18alostaleTriggers an Emergency Pack => No
2015-03-18 09:19alostaleRelationship addedrelated to 0028842
2015-03-18 09:19alostaleAssigned Toplatform => alostale
2015-03-18 09:20alostaleReview Assigned To => AugustoMauch
2015-03-18 09:27hgbotCheckin
2015-03-18 09:27hgbotNote Added: 0075719
2015-03-18 09:27hgbotStatusnew => resolved
2015-03-18 09:27hgbotResolutionopen => fixed
2015-03-18 09:27hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/fe1d0d1cf4ba858c8e162a1405866dfbff007f38 [^]
2015-03-18 15:38hudsonbotCheckin
2015-03-18 15:38hudsonbotNote Added: 0075743
2015-03-20 12:35AugustoMauchNote Added: 0075790
2015-03-20 12:35AugustoMauchStatusresolved => closed
2015-03-20 12:35AugustoMauchFixed in Version => 3.0PR15Q2

Notes
(0075719)
hgbot   
2015-03-18 09:27   
Repository: erp/devel/pi
Changeset: fe1d0d1cf4ba858c8e162a1405866dfbff007f38
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Mar 18 09:26:06 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/fe1d0d1cf4ba858c8e162a1405866dfbff007f38 [^]

fixed bug 29326: multi record attachment download does not check org access

  When downloading attachemnts from different records at once, attachment's
  record's organization was not checked to be accessible. The problem was it tried
  to get a single record with id as concatenation of all ids.

  The fix iterates over all the records and check org access for each of them
  individually.

---
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
(0075743)
hudsonbot   
2015-03-18 15:38   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/327af339611e [^]
Maturity status: Test
(0075790)
AugustoMauch   
2015-03-20 12:35   
Code reviewed and verified in pi@b7fd6844f03f