Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0035263 | Openbravo ERP | 01. General setup | public | 2017-02-14 16:41 | 2017-03-15 20:19 |
|
| Reporter | ngarcia | |
| Assigned To | vmromanos | |
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | 3.0PR17Q2 | |
| Merge Request Status | |
| Review Assigned To | markmm82 |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0035263: Role can add a widget to the workspace and see its contents although it does not have access to it |
| Description | Role can add a widget to the workspace and see its contents although it does not have access to it |
| Steps To Reproduce | As group admin role:
Create a new role
Set it as Manual
Add F&B España Organization
Create a new user
Add the previously created role
Log out
Log in with the previously created role
Click on Add Widget option in the workspace
Select Best Sellers
Insert a number in the Number of Rows field and Save
Check you see the records and you should not
|
| Proposed Solution | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | defect | 0035352 | | new | Triage Omni OMS | [Documentation] Add an explanation about Enable for all users option at widget level in Role - Widget Class Access |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2017-02-14 16:41 | ngarcia | New Issue | |
| 2017-02-14 16:41 | ngarcia | Assigned To | => Triage Finance |
| 2017-02-14 16:41 | ngarcia | Modules | => Core |
| 2017-02-14 16:41 | ngarcia | Resolution time | => 1489705200 |
| 2017-02-14 16:41 | ngarcia | Triggers an Emergency Pack | => No |
| 2017-02-14 16:42 | ngarcia | Issue Monitored: networkb | |
| 2017-02-14 16:48 | jfrances | Issue Monitored: jfrances | |
| 2017-02-14 22:39 | markmm82 | Assigned To | Triage Finance => collazoandy4 |
| 2017-02-16 11:25 | vmromanos | Status | new => scheduled |
| 2017-02-16 11:25 | vmromanos | Assigned To | collazoandy4 => vmromanos |
| 2017-02-16 12:22 | vmromanos | Note Added: 0094384 | |
| 2017-02-16 12:24 | vmromanos | Note Added: 0094385 | |
| 2017-02-16 12:31 | jfrances | Note Added: 0094386 | |
| 2017-02-16 13:21 | vmromanos | Note Edited: 0094385 | bug_revision_view_page.php?bugnote_id=0094385#r14615 |
| 2017-02-16 17:25 | markmm82 | Note Added: 0094397 | |
| 2017-02-16 17:30 | markmm82 | Note Edited: 0094397 | bug_revision_view_page.php?bugnote_id=0094397#r14623 |
| 2017-02-16 17:32 | jfrances | Note Added: 0094399 | |
| 2017-02-16 18:42 | vmromanos | Note Added: 0094404 | |
| 2017-02-16 19:13 | hgbot | Checkin | |
| 2017-02-16 19:13 | hgbot | Note Added: 0094405 | |
| 2017-02-16 19:13 | hgbot | Status | scheduled => resolved |
| 2017-02-16 19:13 | hgbot | Resolution | open => fixed |
| 2017-02-16 19:13 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/a28822293fdd507896a5d172e32dd4712d62277a [^] |
| 2017-02-16 19:15 | markmm82 | Review Assigned To | => markmm82 |
| 2017-02-16 19:15 | markmm82 | Note Added: 0094406 | |
| 2017-02-16 19:15 | markmm82 | Status | resolved => closed |
| 2017-02-16 19:15 | markmm82 | Fixed in Version | => 3.0PR17Q2 |
| 2017-02-23 18:34 | ngarcia | Relationship added | related to 0035352 |
| 2017-03-15 20:19 | hudsonbot | Checkin | |
| 2017-03-15 20:19 | hudsonbot | Note Added: 0095190 | |
|
Notes |
|
|
|
|
Note that this issue only affects Best Seller widget, so it's not a generic platform issue |
|
|
|
(0094385)
|
|
vmromanos
|
2017-02-16 12:24
(edited on: 2017-02-16 13:21) |
|
Test plan:
As group admin role:
Create a new role
Set it as Manual
Add F&B España Organization
Create a new user
Add the previously created role
Log out
Log in with the previously created user
Click on Add Widget option in the workspace
Select Best Sellers
Insert a number in the Number of Rows field and Save
Verify you only see records that belong to Spanish organizations (easily to identify as they are written in Spanish)
|
|
|
|
|
For the above test plan indicated by vromanos, the new user/role shouldn't have access to the widget if the widget is not in the rol.
The user can see information in the widgets without having permisionss to view this information. The user don't have access to the product window neither "best seller" widget, but the can add the widget to its workspace. |
|
|
|
(0094397)
|
|
markmm82
|
2017-02-16 17:25
(edited on: 2017-02-16 17:30) |
|
In the particular case of access to widgets, unlike how the rest of the windows and processes works in OB,
There is the "Enable for all Users" flag which, when activated, makes access to this widget public.
This configuration has a higher priority than having defined the access or not of the role to a widget.
For this reason, if it is desired that not all the roles have access to a widget it will be necessary:
-First disable the "Enable for all Users" option for those widgets that will not be publicly accessible.
-Go to the Role window, select the role you want to access. Move to the "Widget Class Access" tab and add the widgets to which you want to allow access to the role.
This way users from the role only will be able to see public widgets (those with the "Enable for all Users" flag checked) and configured to the role with not public access.
From this point of view I think this is not an issue and has a functional solution.
|
|
|
|
|
|
Thanks markmm82, you're right, I didn't know that functionality. |
|
|
|
|
You are mixing up things:
1. This flag is to enable the widget to a role regardless this role has not explicit access to the widget in the Widget Access tab.
2. Once the widget is enable for the user, it can only shows records belonging to the organizations where it has access to. In the test plan, it has no sense that the user can see records belonging to US because he has no access to this organization.
That's why this is a real issue that should be fixed.
3. Finally the widget can show information about entities that you don't have access to. Actually it doesn't show the full entity, but just "names and numbers". If you try to browse to the window for that entity, the system will block you if your role doesn't have the necessary privileges to the window. |
|
|
|
(0094405)
|
|
hgbot
|
|
2017-02-16 19:13
|
|
Repository: erp/devel/pi
Changeset: a28822293fdd507896a5d172e32dd4712d62277a
Author: Victor Martinez Romanos <victor.martinez <at> openbravo.com>
Date: Thu Feb 16 12:22:58 2017 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/a28822293fdd507896a5d172e32dd4712d62277a [^]
Fixed bug 35263: Organization filter in Best Seller widget
The Best Seller widget didn't have organization filter thus showing records belonging to organizations where the role doesn't have access to.
The fix introduces a new parameter to get the readable orgs, and the HQL query has been adapated to use it.
---
M modules/org.openbravo.client.widgets/src-db/database/sourcedata/OBCQL_WIDGET_QUERY.xml
M modules/org.openbravo.client.widgets/src-db/database/sourcedata/OBUIAPP_PARAMETER.xml
---
|
|
|
|
|
|
|
|
|
|