Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0033355 | Openbravo ERP | C. Security | public | 2016-06-24 13:41 | 2016-08-11 18:40 |
|
| Reporter | AugustoMauch | |
| Assigned To | caristu | |
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | 3.0PR16Q4 | Fixed in Version | 3.0PR16Q4 | |
| Merge Request Status | |
| Review Assigned To | alostale |
| OBNetwork customer | No |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0033355: Potential security issue in Process Definitions |
| Description | In a process definition, it is possible to update a record that belongs to a client other than the current one, even if the OBContext is not in Administrator Mode. |
| Steps To Reproduce | - Apply the patch that will be attached to the issue. This patch adds a Process Definition to the Client window, where the System client is shown in all clients. The process definition updates the selected record.
- Log in with a client other than System
- Open the Client window
- Select the System client and press the new button. Check that the client has been modified, even though it shouldn't have been allowed. |
| Proposed Solution | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | defect | 0033166 | | closed | alostale | Openbravo ERP | Role with access to one organization can edit all of them in Organization window | | related to | feature request | 0033239 | RR16Q3 | closed | Sandrahuguet | Retail Modules | Provide a proces to recreate the mobile server authentication key |
|
| Attached Files |  issueProcessDefinition.diff (24,357) 2016-06-27 09:51
https://issues.openbravo.com/file_download.php?file_id=9579&type=bug
issue33355.diff (742) 2016-06-27 09:51
https://issues.openbravo.com/file_download.php?file_id=9580&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2016-06-24 13:41 | AugustoMauch | New Issue | |
| 2016-06-24 13:41 | AugustoMauch | Assigned To | => platform |
| 2016-06-24 13:41 | AugustoMauch | OBNetwork customer | => No |
| 2016-06-24 13:41 | AugustoMauch | Modules | => Core |
| 2016-06-24 13:41 | AugustoMauch | Triggers an Emergency Pack | => No |
| 2016-06-24 13:43 | caristu | Assigned To | platform => caristu |
| 2016-06-24 13:43 | caristu | Status | new => acknowledged |
| 2016-06-27 09:25 | caristu | Relationship added | related to 0033166 |
| 2016-06-27 09:25 | caristu | Status | acknowledged => scheduled |
| 2016-06-27 09:25 | caristu | Target Version | => 3.0PR16Q4 |
| 2016-06-27 09:48 | caristu | File Added: issue33355.diff | |
| 2016-06-27 09:51 | caristu | File Deleted: issue33355.diff | |
| 2016-06-27 09:51 | caristu | File Added: issueProcessDefinition.diff | |
| 2016-06-27 09:51 | caristu | File Added: issue33355.diff | |
| 2016-06-27 10:08 | Sandrahuguet | Relationship added | related to 0033239 |
| 2016-07-18 13:16 | hgbot | Checkin | |
| 2016-07-18 13:16 | hgbot | Note Added: 0088551 | |
| 2016-07-18 13:16 | hgbot | Status | scheduled => resolved |
| 2016-07-18 13:16 | hgbot | Resolution | open => fixed |
| 2016-07-18 13:16 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/5a3558090511f4d767ae11c5a3aee2c74708e9f9 [^] |
| 2016-07-18 13:16 | caristu | Review Assigned To | => alostale |
| 2016-07-18 13:16 | caristu | Issue Monitored: alostale | |
| 2016-07-22 10:41 | alostale | Note Added: 0088625 | |
| 2016-07-22 10:41 | alostale | Status | resolved => closed |
| 2016-07-22 10:41 | alostale | Fixed in Version | => 3.0PR16Q4 |
| 2016-08-11 18:40 | hudsonbot | Checkin | |
| 2016-08-11 18:40 | hudsonbot | Note Added: 0089018 | |