Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0033166 | Openbravo ERP | 01. General setup | public | 2016-06-06 18:13 | 2017-02-01 15:41 |
|
| Reporter | ngarcia | |
| Assigned To | alostale | |
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | 3.0PR16Q3 | |
| Merge Request Status | |
| Review Assigned To | caristu |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0033166: Role with access to one organization can edit all of them in Organization window |
| Description | Role with access to one organization can edit all of them in Organization window |
| Steps To Reproduce | As group admin role:
Create a new Role:
User Level: Client+Organization
Advanced: Y
Remove all the organizations except F&B España - Región Norte
Add the role to Openbravo User
Log out and log in with previously created role
Go to Organization window and observe you can edit all the organizations |
| Proposed Solution | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | defect | 0033255 | | closed | alostale | some organizations not shown in tree view | | related to | defect | 0033198 | | closed | dmiguelez | Wrong Organization in treenode | | related to | defect | 0033355 | 3.0PR16Q4 | closed | caristu | Potential security issue in Process Definitions | | related to | defect | 0040303 | | closed | jarmendariz | System allows to show all the organizations to the user who has access to only single organization | | causes | defect | 0034977 | | closed | inigosanchez | A deactivated organization can not be activated again. |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2016-06-06 18:13 | ngarcia | New Issue | |
| 2016-06-06 18:13 | ngarcia | Assigned To | => Triage Finance |
| 2016-06-06 18:13 | ngarcia | Modules | => Core |
| 2016-06-06 18:13 | ngarcia | Resolution time | => 1466978400 |
| 2016-06-06 18:13 | ngarcia | Triggers an Emergency Pack | => No |
| 2016-06-06 18:14 | ngarcia | Issue Monitored: networkb | |
| 2016-06-06 18:57 | aferraz | Assigned To | Triage Finance => platform |
| 2016-06-14 10:27 | alostale | Issue cloned | 0033255 |
| 2016-06-14 10:27 | alostale | Relationship added | related to 0033255 |
| 2016-06-14 10:28 | alostale | Summary | Role with access to one organization can edit all of them in Organization window, some of them not shown in tree view => Role with access to one organization can edit all of them in Organization window |
| 2016-06-14 10:28 | alostale | Description Updated | bug_revision_view_page.php?rev_id=12360#r12360 |
| 2016-06-14 10:28 | alostale | Steps to Reproduce Updated | bug_revision_view_page.php?rev_id=12362#r12362 |
| 2016-06-14 10:29 | alostale | Note Added: 0087235 | |
| 2016-06-14 10:30 | alostale | Relationship added | related to 0033198 |
| 2016-06-15 09:02 | alostale | Review Assigned To | => caristu |
| 2016-06-15 09:07 | hgbot | Checkin | |
| 2016-06-15 09:07 | hgbot | Note Added: 0087281 | |
| 2016-06-15 09:07 | hgbot | Checkin | |
| 2016-06-15 09:07 | hgbot | Note Added: 0087282 | |
| 2016-06-15 09:07 | hgbot | Status | new => resolved |
| 2016-06-15 09:07 | hgbot | Resolution | open => fixed |
| 2016-06-15 09:07 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/463564b77a032485223cc070cf0aa66f6f0e03d8 [^] |
| 2016-06-17 10:14 | caristu | Note Added: 0087382 | |
| 2016-06-17 10:14 | caristu | Status | resolved => closed |
| 2016-06-17 10:14 | caristu | Fixed in Version | => 3.0PR16Q3 |
| 2016-06-17 19:38 | hudsonbot | Checkin | |
| 2016-06-17 19:38 | hudsonbot | Note Added: 0087618 | |
| 2016-06-17 19:38 | hudsonbot | Checkin | |
| 2016-06-17 19:38 | hudsonbot | Note Added: 0087619 | |
| 2016-06-27 09:25 | caristu | Relationship added | related to 0033355 |
| 2017-01-25 08:37 | caristu | Relationship added | causes 0034977 |
| 2017-02-01 15:41 | alostale | Assigned To | platform => alostale |
| 2019-03-11 13:26 | jarmendariz | Relationship added | related to 0040303 |
|
Notes |
|
|
|
|
Originally, 2 issues were reported in this one, 0033255 has been created to split it. |
|
|
|
(0087281)
|
|
hgbot
|
|
2016-06-15 09:07
|
|
Repository: erp/devel/pi
Changeset: ac14fb7ab6ef4aa3bddb9e0b6907eafa4d3b1eeb
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Jun 15 08:39:05 2016 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/ac14fb7ab6ef4aa3bddb9e0b6907eafa4d3b1eeb [^]
related to bug 33166: writable access is not checked when editing client/org
Code clean up: consolidated 3 implementations of checkWritable in one:
- SecurityChecker.checkWriteAccess duplicated code in SecurityChecker.isWritable
with the only difference of returning a boolean instead of throwing an
exception. Now isWritable invokes checkWriteAccess.
- FIC implemented again this check to make the UI readonly for non writable
rows, now it invokes SecurityChecker.isWritable method.
---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/FormInitializationComponent.java
M src/org/openbravo/dal/security/SecurityChecker.java
---
|
|
|
|
(0087282)
|
|
hgbot
|
|
2016-06-15 09:07
|
|
Repository: erp/devel/pi
Changeset: 463564b77a032485223cc070cf0aa66f6f0e03d8
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Jun 15 09:06:46 2016 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/463564b77a032485223cc070cf0aa66f6f0e03d8 [^]
fixed bug 33166: writable access is not checked when editing client/org
A role without access to organization A could edit it in Organization window.
Writable access was bypassed in this case both in UI and DAL.
This patch includes two fixes:
- DAL (SecurityChecker) treats instances of Client and Organization objects
as special cases getting the client or organization ids not from FK property
but directly as their id. In this manner checking for those entities is
performed.
- Grid UI. Similar implementation is done to decide whether a row should be
marked as ready only. In this case it is not possible to reuse previous code
as the checks are done on a json object instead of on a DAL object.
---
M modules/org.openbravo.service.json/src/org/openbravo/service/json/DefaultJsonDataService.java
M src/org/openbravo/dal/security/SecurityChecker.java
---
|
|
|
|
|
Code review + testing OK
Verified in pi@a3288a6ce595 |
|
|
|
|
|
|
|
|
|