Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0036725Openbravo ERP01. General setuppublic2017-08-28 10:132017-09-22 18:28
maite 
AugustoMauch 
urgentmajoralways
closedfixed 
5
 
3.0PR17Q4 
caristu
Core
No
0036725: Should not be possible to create new data when user is not able to edit existent data
Should not be possible to create new data when user is not able to edit existent data
0. Create new role named "españa" setting UserLevel=Organization
1. Edit "Org Access" to only leave access to "F&B España - Región Norte" and "F&B España - Región Sur" organizations
2. Edit "User Assigment" to define "Openbravo"
3. Logout and login again using "españa" role
4. Access Business Partner window and realize that you are able to see "F&B España, S.A" records bt not able to edit it (which is OK)
5. Access "Location/Address" tab and realize that you are not able to edit reord (which is OK) but you are able to create new record (which is not OK). Moreover it will be created to organization different from "F&B España, S.A"

Same behavior present in Product window
Organization field was set as readonly in Business Partner, Product... tabs as you were able to create data inconsistency between header's org and tab's org. For that reason, user should not be able to create records in tabs where Organization field is not shown (such as Business Partner, Product...) and in case it has not edit permissions to header's organization
No tags attached.
duplicate of design defect 0026170 closed AugustoMauch Openbravo ERP Role can add lines in sales order without access to the org of the header 
related to defect 0036661 closed rqueralta Retail Modules Wrong organization set to Business Partner address so order is not synchronized 
related to feature request 0036866 new platform Openbravo ERP Make explicit in the UI why a toolbar button is disabled 
related to defect 0039784 closed ranjith_qualiantech_com Retail Modules OBPOS_HardwareURL may be generated by org *  
causes defect 0036953 closed caristu Openbravo ERP Can not create records in Organization window sub-tabs 
Issue History
2017-08-28 10:13maiteNew Issue
2017-08-28 10:13maiteAssigned To => Triage Finance
2017-08-28 10:13maiteModules => Core
2017-08-28 10:13maiteResolution time => 1505080800
2017-08-28 10:13maiteTriggers an Emergency Pack => No
2017-08-28 10:13maiteIssue Monitored: networkb
2017-08-31 09:40aferrazSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=15766#r15766
2017-08-31 10:00aferrazAssigned ToTriage Finance => platform
2017-08-31 10:08aferrazNote Added: 0098743
2017-08-31 11:47alostaleRelationship addedduplicate of 0026170
2017-09-05 09:09alostaleNote Added: 0098822
2017-09-05 09:09alostaleStatusnew => feedback
2017-09-11 10:45maiteRelationship addedrelated to 0036661
2017-09-13 16:36maiteStatusfeedback => new
2017-09-14 10:03AugustoMauchAssigned Toplatform => AugustoMauch
2017-09-15 12:30AugustoMauchReview Assigned To => caristu
2017-09-15 12:31hgbotCheckin
2017-09-15 12:31hgbotNote Added: 0099069
2017-09-15 12:31hgbotStatusnew => resolved
2017-09-15 12:31hgbotResolutionopen => fixed
2017-09-15 12:31hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/0c8047a2daa39f0c4daacccad122b69517a203e0 [^]
2017-09-15 12:43AugustoMauchRelationship addedrelated to 0036866
2017-09-18 10:23hgbotCheckin
2017-09-18 10:23hgbotNote Added: 0099093
2017-09-21 16:50hudsonbotCheckin
2017-09-21 16:50hudsonbotNote Added: 0099400
2017-09-21 16:50hudsonbotCheckin
2017-09-21 16:50hudsonbotNote Added: 0099402
2017-09-22 10:10caristuNote Added: 0099464
2017-09-22 10:12caristuNote Edited: 0099464bug_revision_view_page.php?bugnote_id=0099464#r15971
2017-09-22 10:13caristuNote Edited: 0099464bug_revision_view_page.php?bugnote_id=0099464#r15972
2017-09-22 10:32caristuStatusresolved => new
2017-09-22 10:32caristuResolutionfixed => open
2017-09-22 11:04hgbotCheckin
2017-09-22 11:04hgbotNote Added: 0099474
2017-09-22 11:04hgbotStatusnew => resolved
2017-09-22 11:04hgbotResolutionopen => fixed
2017-09-22 11:04hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/devel/pi/rev/0c8047a2daa39f0c4daacccad122b69517a203e0 [^] => http://code.openbravo.com/erp/devel/pi/rev/cf859d178908414a35b159d55df22169cc7afd3d [^]
2017-09-22 12:34caristuNote Added: 0099480
2017-09-22 12:34caristuStatusresolved => closed
2017-09-22 12:34caristuFixed in Version => 3.0PR17Q4
2017-09-22 18:28hudsonbotCheckin
2017-09-22 18:28hudsonbotNote Added: 0099501
2017-09-26 13:20caristuRelationship addedcauses 0036953
2019-05-27 17:12mtaalRelationship addedrelated to 0039784

Notes
(0098743)
aferraz   
2017-08-31 10:08   
Problem is reproducible in any window.
You are not able to edit records belonging to organizations you don't have access to (which is ok).
You are able to create records belonging to organizations you have access to (which is ok), but being children of records belonging to organizations you don't have access to (which is not ok).
(0098822)
alostale   
2017-09-05 09:09   
Setting as feedback as this issue is under internal discussion on how it should be addressed.
(0099069)
hgbot   
2017-09-15 12:31   
Repository: erp/devel/pi
Changeset: 0c8047a2daa39f0c4daacccad122b69517a203e0
Author: Augusto Mauch <augusto.mauch <at> openbravo.com>
Date: Fri Sep 15 12:27:06 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/0c8047a2daa39f0c4daacccad122b69517a203e0 [^]

Fixes issue 36725: Check role write access to organization of parent record

If the current role does not have writable access to the record selected in a tab, the user should not be allowed to create records in its subtabs.

Now this is taken into account in order to enable/disable the toolbar buttons that create new records, and also in the logic that creates a link to create new records in a tab if the gr
id is currently empty.

Now it will not be possible to enter records in a subtab if:
- The subtab has an editable organization field
- The user's role does not have writable access to the organization of the record selected in the parent tab.

Now the list of the current role of the user writable organizations is available in OB.User.writableOrganizations.

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/grid/ob-view-grid.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/main/ob-standard-view.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/toolbar/ob-toolbar.js
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/ApplicationDynamicComponent.java
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/templates/application-dynamic-js.ftl
---
(0099093)
hgbot   
2017-09-18 10:23   
Repository: erp/devel/pi
Changeset: f9da9c951a5dbec42cd7630692e55b7dd2c50f79
Author: Augusto Mauch <augusto.mauch <at> openbravo.com>
Date: Mon Sep 18 10:20:43 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/f9da9c951a5dbec42cd7630692e55b7dd2c50f79 [^]

Related with issue 36725: Prevents error when opening direct subtab

The following case was not working:
- Open Window, Tabs and Fields
- Select any field, open it in form view
- Click on the "Column" field title. It should open the Tables and Columns window and focus on the Column tab, but it will fail.

This happens because it was not enough to check if this.parentView.viewGrid.getSelectedRecord() was null, it could also be undefined.

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/main/ob-standard-view.js
---
(0099400)
hudsonbot   
2017-09-21 16:50   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/9750b78d3e5c [^]
Maturity status: Test
(0099402)
hudsonbot   
2017-09-21 16:50   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/9750b78d3e5c [^]
Maturity status: Test
(0099464)
caristu   
2017-09-22 10:10   
(edited on: 2017-09-22 10:13)
There is still one way to create records that is not being taken into account, through the right click context menu:

- Right click > Insert row
- Right click > New record in form

https://docs.google.com/spreadsheets/d/18l2biKWeG6iGDIPqO6VuYQ_TtP_6YxyQU4KSrPvQlJ8/edit#gid=0 [^]

(0099474)
hgbot   
2017-09-22 11:04   
Repository: erp/devel/pi
Changeset: cf859d178908414a35b159d55df22169cc7afd3d
Author: Augusto Mauch <augusto.mauch <at> openbravo.com>
Date: Fri Sep 22 10:40:47 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/cf859d178908414a35b159d55df22169cc7afd3d [^]

Fixes issue 36725: Records cannot be created using grid's contextual menu

Now if the user cannot add records because its role does not have access to the organization selected in the parent tab, it will not be possible
to add records using the grid's contextual menu.

This needs to be addressed in two different contextuals menus:
- The one shown when right-clicking on a grid record
- The one shown when right-clicking on the grid empty space

Also, simplifies an if condition to check for null/undefined

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/grid/ob-view-grid.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/main/ob-standard-view.js
---
(0099480)
caristu   
2017-09-22 12:34   
Code reviewed + tested OK.
(0099501)
hudsonbot   
2017-09-22 18:28   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/b4329e391b82 [^]
Maturity status: Test