Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0032398 | Openbravo ERP | A. Platform | public | 2016-03-03 16:09 | 2016-06-17 19:37 |
|
| Reporter | JONHM | |
| Assigned To | alostale | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | 3.0PR15Q4.3 | |
| Target Version | | Fixed in Version | 3.0PR16Q3 | |
| Merge Request Status | |
| Review Assigned To | caristu |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0032398: Role with Organization user level cannot see data in System/Client tables even if granted |
| Description | A user having a role set at Organization level cannot have access to "Currency" window and also cannot copy invoice lines in "Purchase Invoice" window |
| Steps To Reproduce | 1) Create a user with a role set as Organization Level and assign windows "Currency" and "Purchase Invoice"
2) Sign up with new user
3) Open Currency window
-> The window is opened but no data is shown with message:
"With your current role and settings, you cannot view this information"
4) Create a new invoice line, save it and push the button "Copy Lines"
-> Error message:
Entity Currency is not directly readable, only id and identifier properties are readable, property Currency.pricePrecision is neither of these. |
| Proposed Solution | This default behavior will be preserved adding a new Preference (Bypass Access Level Entity Check) that will allow to skip these checks.
http://wiki.openbravo.com/wiki/Role#Role [^] |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | design defect | 0032869 | | acknowledged | Triage Platform Base | cannot switch to a role that's being defined in current session | | related to | defect | 0032870 | | closed | caristu | Add log information in HttpSecureAppServlet when role has not access |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2016-03-03 16:09 | JONHM | New Issue | |
| 2016-03-03 16:09 | JONHM | Assigned To | => platform |
| 2016-03-03 16:09 | JONHM | Modules | => Core |
| 2016-03-03 16:09 | JONHM | Resolution time | => 1456786800 |
| 2016-03-03 16:09 | JONHM | Triggers an Emergency Pack | => No |
| 2016-03-03 16:42 | alostale | Note Added: 0084693 | |
| 2016-03-03 16:42 | alostale | Assigned To | platform => Triage Finance |
| 2016-03-03 16:42 | alostale | Category | B. User interface => 07. Sales management |
| 2016-04-04 12:39 | egoitz | Resolution time | 1456786800 => 1462053600 |
| 2016-04-18 13:13 | egoitz | Assigned To | Triage Finance => platform |
| 2016-04-18 13:13 | egoitz | Category | 07. Sales management => A. Platform |
| 2016-04-28 11:23 | alostale | Description Updated | bug_revision_view_page.php?rev_id=11896#r11896 |
| 2016-04-28 11:23 | alostale | Steps to Reproduce Updated | bug_revision_view_page.php?rev_id=11898#r11898 |
| 2016-04-28 11:58 | alostale | Summary | Problem accessing some windows while user having Role set at Organization level => Role with Organization user level cannot see data in System/Client tables even if granted |
| 2016-04-28 11:59 | alostale | Review Assigned To | => caristu |
| 2016-04-28 11:59 | alostale | Type | defect => feature request |
| 2016-04-28 11:59 | alostale | Proposed Solution updated | |
| 2016-04-29 07:30 | hgbot | Checkin | |
| 2016-04-29 07:30 | hgbot | Note Added: 0086066 | |
| 2016-04-29 07:30 | hgbot | Status | new => resolved |
| 2016-04-29 07:30 | hgbot | Resolution | open => fixed |
| 2016-04-29 07:30 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/5438c3739fa273e3427257fcf231bf79ac5ba9d9 [^] |
| 2016-04-29 07:30 | hgbot | Checkin | |
| 2016-04-29 07:30 | hgbot | Note Added: 0086067 | |
| 2016-05-05 10:09 | caristu | Assigned To | platform => alostale |
| 2016-05-05 10:09 | caristu | Note Added: 0086203 | |
| 2016-05-05 10:09 | caristu | Status | resolved => new |
| 2016-05-05 10:09 | caristu | Resolution | fixed => open |
| 2016-05-05 10:47 | alostale | Relationship added | related to 0032869 |
| 2016-05-05 11:12 | caristu | Status | new => scheduled |
| 2016-05-05 11:13 | caristu | Note Added: 0086206 | |
| 2016-05-05 11:13 | caristu | Status | scheduled => resolved |
| 2016-05-05 11:13 | caristu | Fixed in Version | => 3.0PR16Q3 |
| 2016-05-05 11:13 | caristu | Resolution | open => fixed |
| 2016-05-05 11:15 | caristu | Note Added: 0086207 | |
| 2016-05-05 11:15 | caristu | Status | resolved => closed |
| 2016-05-05 11:24 | caristu | Note Added: 0086208 | |
| 2016-05-05 11:25 | caristu | Relationship added | related to 0032870 |
| 2016-06-17 19:37 | hudsonbot | Checkin | |
| 2016-06-17 19:37 | hudsonbot | Note Added: 0087499 | |
|
Notes |
|
|
|
This issue describes two topics:
1. Roles defined as Organization level cannot access data in tabs for System or System/Only tables, which is the case of Currency and Conversion Rates widows. This is as per design, so not an issue.
2. Copy Lines process requires explicit access to Currency entity. This can be reproduced with a role with access to only Sales Invoice window. This can be considered as an issue because having access to Sales Invoice window should grant access also to execute its processes. |
|
|
|
(0086066)
|
|
hgbot
|
|
2016-04-29 07:30
|
|
Repository: erp/devel/pi
Changeset: 5438c3739fa273e3427257fcf231bf79ac5ba9d9
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Fri Mar 04 14:59:30 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/5438c3739fa273e3427257fcf231bf79ac5ba9d9 [^]
fixes 32398: Organization role can't see data in System/Client tables
A new preference has been created in order to bypass check that compares role's
user level with entity's access level to completely prevent accessing latter one.
---
M src-db/database/sourcedata/AD_REF_LIST.xml
M src-test/src/org/openbravo/test/AllAntTaskTests.java
M src-test/src/org/openbravo/test/security/CrossOrganizationReference.java
M src-test/src/org/openbravo/test/security/ExplicitCrossOrganizationReference.java
M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/dal/core/OBContext.java
M src/org/openbravo/dal/security/EntityAccessChecker.java
A src-test/src/org/openbravo/test/security/BypassAccessLevelCheck.java
---
|
|
|
|
(0086067)
|
|
hgbot
|
|
2016-04-29 07:30
|
|
|
|
|
|
Found an error following these steps:
1) Create a new Role with Organization access level
2) Assign it to the Openbravo user
3) Log out and log in
4) In the Role window again, navigate to the newly created role
5) Give it access to the "F&B International Group" organization
6) Give it access to the "F&B España, S.A" organization
7) Using the profile menu, try to switch to this new role. The following error appears:
Error occured: org.openbravo.base.exception.OBException: java.lang.IllegalArgumentException: Error when saving default values
Stack Trace:
Caused by: java.lang.IllegalArgumentException: Error when saving default values
at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler$UserSessionSetter.resetSession(UserInfoWidgetActionHandler.java:477)
at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler$UserSessionSetter.access$1(UserInfoWidgetActionHandler.java:432)
at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler.executeSaveCommand(UserInfoWidgetActionHandler.java:393)
at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler.execute(UserInfoWidgetActionHandler.java:91)
... 48 more |
|
|
|
|
|
|
|
|
Code review + testing OK.
Following steps to reproduce and enabling the preference Bypass Access Level Entity Check:
- Currency window records can be seen (And they are not editable).
- It is possible to run the Copy Lines process successfully |
|
|
|
|
|
|
|
|
|