Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0030253Openbravo ERPC. Securitypublic2015-06-26 09:122022-02-01 08:09
Reportervmromanos 
Assigned ToTriage Platform Base 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0030253: Automatic roles and initial organization setup inconsistency
DescriptionA role can be defined as Manual = N, which means that the role automatically gets all standard user plus admin privileges, even when new elements such as windows, processes, forms, widget classes, organizations are added. http://wiki.openbravo.com/wiki/Role [^]

When you run an Initial Org Setup, you have the ability to create a new role which is associated only to the newly created organization. This is working fine. http://wiki.openbravo.com/wiki/Initial_organization_setup [^]

However, if you create another organization, the system will automatically add this new organization to the role previously created in the first Initial Organization Setup run.
This could be considered a security issue for the first role, because probably the user expects that this role only has access to the organization created for it.



The inconsistency comes from the definition of the 2 processes that might create conflicts:
* Initial Org Setup creates an Automatic Role (Manual=N) with access only for the selected organization
* New organizations are automatically added to roles with Manual=N


This behavior is controlled into the AD_ORG_TRG trigger:

 IF(INSERTING) THEN
    -- Add to all roles of the client
    INSERT
    INTO AD_Role_OrgAccess
      (
        AD_Role_OrgAccess_ID, AD_Role_ID, AD_Client_ID, AD_Org_ID,
        IsActive, Created, CreatedBy,
        Updated, UpdatedBy, is_org_admin
      )
    SELECT get_uuid(), AD_Role_ID, :new.AD_Client_ID, :new.AD_Org_ID,
       'Y', now(), :new.CreatedBy,
      now(), :new.CreatedBy, 'Y'
    FROM AD_Role
    WHERE AD_Client_ID=:new.AD_Client_ID
      AND IsManual='N';
Steps To ReproduceAs System Admin
 Create a new client
Log into the new client
 Run Initial Organization Setup
   Name: o1
   Org user name: 01
 Go to Role window
   Verify a new role for o1 organization only has been created
 Run Initial Organization Setup
   Name: o2
   Org user name: 02
 Go to Role window
   Verify a new role for o2 organization only has been created
   Verify the previous role for organization o1 has now access to o2 too. This situation could create a security problem
Proposed Solution1. Study the situation and decide a solution. Idea: Add a new flag at role level to control whether to add new organizations to the role. AD_ORG_TRG should be adapted

2. On the other hand, AD_ORG_TRG should only run this code for Client/Organization or Organization only access level roles. Right now it adds the organization to other access levels (like Client or System) and that's not needed at all.
Additional Information
TagsNo tags attached.
Relationships
related to defect 0030057 closed aferraz Org Access added automatically to all roles 
caused by defect 0010548 closed alostale Adding a new organization adds org access to manual roles 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2015-06-26 09:12vmromanosNew Issue
2015-06-26 09:12vmromanosAssigned To => platform
2015-06-26 09:12vmromanosModules => Core
2015-06-26 09:12vmromanosTriggers an Emergency Pack => No
2015-06-26 09:15vmromanosProposed Solution updated
2015-06-26 09:16vmromanosRelationship addedrelated to 0030057
2015-06-26 09:17vmromanosRelationship addedcaused by 0010548
2022-02-01 08:09alostaleAssigned Toplatform => Triage Platform Base

There are no notes attached to this issue.