Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0032398Openbravo ERPA. Platformpublic2016-03-03 16:092016-06-17 19:37
JONHM 
alostale 
normalminoralways
closedfixed 
5
3.0PR15Q4.3 
3.0PR16Q3 
caristu
Core
No
0032398: Role with Organization user level cannot see data in System/Client tables even if granted
A user having a role set at Organization level cannot have access to "Currency" window and also cannot copy invoice lines in "Purchase Invoice" window
1) Create a user with a role set as Organization Level and assign windows "Currency" and "Purchase Invoice"
2) Sign up with new user
3) Open Currency window
  -> The window is opened but no data is shown with message:
     "With your current role and settings, you cannot view this information"
4) Create a new invoice line, save it and push the button "Copy Lines"
   -> Error message:
      Entity Currency is not directly readable, only id and identifier properties are readable, property Currency.pricePrecision is neither of these.
This default behavior will be preserved adding a new Preference (Bypass Access Level Entity Check) that will allow to skip these checks.

http://wiki.openbravo.com/wiki/Role#Role [^]
No tags attached.
related to design defect 0032869 acknowledged platform cannot switch to a role that's being defined in current session 
related to defect 0032870 closed caristu Add log information in HttpSecureAppServlet when role has not access 
Issue History
2016-03-03 16:09JONHMNew Issue
2016-03-03 16:09JONHMAssigned To => platform
2016-03-03 16:09JONHMModules => Core
2016-03-03 16:09JONHMTriggers an Emergency Pack => No
2016-03-03 16:42alostaleNote Added: 0084693
2016-03-03 16:42alostaleAssigned Toplatform => Triage Finance
2016-03-03 16:42alostaleCategoryB. User interface => 07. Sales management
2016-04-18 13:13egoitzAssigned ToTriage Finance => platform
2016-04-18 13:13egoitzCategory07. Sales management => A. Platform
2016-04-28 11:23alostaleDescription Updatedbug_revision_view_page.php?rev_id=11896#r11896
2016-04-28 11:23alostaleSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=11898#r11898
2016-04-28 11:58alostaleSummaryProblem accessing some windows while user having Role set at Organization level => Role with Organization user level cannot see data in System/Client tables even if granted
2016-04-28 11:59alostaleReview Assigned To => caristu
2016-04-28 11:59alostaleTypedefect => feature request
2016-04-28 11:59alostaleProposed Solution updated
2016-04-29 07:30hgbotCheckin
2016-04-29 07:30hgbotNote Added: 0086066
2016-04-29 07:30hgbotStatusnew => resolved
2016-04-29 07:30hgbotResolutionopen => fixed
2016-04-29 07:30hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/5438c3739fa273e3427257fcf231bf79ac5ba9d9 [^]
2016-04-29 07:30hgbotCheckin
2016-04-29 07:30hgbotNote Added: 0086067
2016-05-05 10:09caristuAssigned Toplatform => alostale
2016-05-05 10:09caristuNote Added: 0086203
2016-05-05 10:09caristuStatusresolved => new
2016-05-05 10:09caristuResolutionfixed => open
2016-05-05 10:47alostaleRelationship addedrelated to 0032869
2016-05-05 11:12caristuStatusnew => scheduled
2016-05-05 11:13caristuNote Added: 0086206
2016-05-05 11:13caristuStatusscheduled => resolved
2016-05-05 11:13caristuFixed in Version => 3.0PR16Q3
2016-05-05 11:13caristuResolutionopen => fixed
2016-05-05 11:15caristuNote Added: 0086207
2016-05-05 11:15caristuStatusresolved => closed
2016-05-05 11:24caristuNote Added: 0086208
2016-05-05 11:25caristuRelationship addedrelated to 0032870
2016-06-17 19:37hudsonbotCheckin
2016-06-17 19:37hudsonbotNote Added: 0087499

Notes
(0084693)
alostale   
2016-03-03 16:42   
This issue describes two topics:

1. Roles defined as Organization level cannot access data in tabs for System or System/Only tables, which is the case of Currency and Conversion Rates widows. This is as per design, so not an issue.
2. Copy Lines process requires explicit access to Currency entity. This can be reproduced with a role with access to only Sales Invoice window. This can be considered as an issue because having access to Sales Invoice window should grant access also to execute its processes.
(0086066)
hgbot   
2016-04-29 07:30   
Repository: erp/devel/pi
Changeset: 5438c3739fa273e3427257fcf231bf79ac5ba9d9
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Fri Mar 04 14:59:30 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/5438c3739fa273e3427257fcf231bf79ac5ba9d9 [^]

fixes 32398: Organization role can't see data in System/Client tables

  A new preference has been created in order to bypass check that compares role's
  user level with entity's access level to completely prevent accessing latter one.

---
M src-db/database/sourcedata/AD_REF_LIST.xml
M src-test/src/org/openbravo/test/AllAntTaskTests.java
M src-test/src/org/openbravo/test/security/CrossOrganizationReference.java
M src-test/src/org/openbravo/test/security/ExplicitCrossOrganizationReference.java
M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/dal/core/OBContext.java
M src/org/openbravo/dal/security/EntityAccessChecker.java
A src-test/src/org/openbravo/test/security/BypassAccessLevelCheck.java
---
(0086067)
hgbot   
2016-04-29 07:30   
Repository: erp/devel/pi
Changeset: e47bc61fb8bd1d4c2759b92c46131d4d0cf82287
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Thu Apr 28 14:03:21 2016 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/e47bc61fb8bd1d4c2759b92c46131d4d0cf82287 [^]

related to issue 32398: fixes test case

---
M src-test/src/org/openbravo/test/security/CrossOrganizationReference.java
---
(0086203)
caristu   
2016-05-05 10:09   
Found an error following these steps:

1) Create a new Role with Organization access level
2) Assign it to the Openbravo user
3) Log out and log in
4) In the Role window again, navigate to the newly created role
5) Give it access to the "F&B International Group" organization
6) Give it access to the "F&B España, S.A" organization
7) Using the profile menu, try to switch to this new role. The following error appears:

Error occured: org.openbravo.base.exception.OBException: java.lang.IllegalArgumentException: Error when saving default values

Stack Trace:

Caused by: java.lang.IllegalArgumentException: Error when saving default values
    at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler$UserSessionSetter.resetSession(UserInfoWidgetActionHandler.java:477)
    at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler$UserSessionSetter.access$1(UserInfoWidgetActionHandler.java:432)
    at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler.executeSaveCommand(UserInfoWidgetActionHandler.java:393)
    at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler.execute(UserInfoWidgetActionHandler.java:91)
    ... 48 more
(0086206)
caristu   
2016-05-05 11:13   
The problem that caused this issue to be reopened is a design defect reported here: https://issues.openbravo.com/view.php?id=32869 [^]
(0086207)
caristu   
2016-05-05 11:15   
Code review + testing OK.

Following steps to reproduce and enabling the preference Bypass Access Level Entity Check:

- Currency window records can be seen (And they are not editable).
- It is possible to run the Copy Lines process successfully
(0086208)
caristu   
2016-05-05 11:24   
Updated wiki with new preference information: http://wiki.openbravo.com/wiki/Preference [^]
(0087499)
hudsonbot   
2016-06-17 19:37   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^]
Maturity status: Test