Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0038800Openbravo ERP02. Master data managementpublic2018-06-21 11:082018-08-01 13:38
ReporterJONHM 
Assigned Tojarmendariz 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionno change required 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version 
Merge Request Status
Review Assigned To
OBNetwork customerOBPS
Web browser
ModulesCore
Support ticket2705
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0038800: It is possible to see the button action for records that are in read only (no access)
DescriptionIt is possible to see the button action for records that are in read only, logged with a user with no access to that organization.
Steps To Reproduce- Create a new Sales Order with Openbravo user, select organization "F&B España, S.A" and book the SO.
- Open "Role" window and select 'F&B España, S.A - Finance' role. Remove access to every organization but 'F&B España - Región Norte'.
- Assign 'John Smith' user to that role.
- Log out and log in using 'John Smith' user.
- Open 'Sales Order' window and select the previously created record. It's in read only but the buttons are displayed and 'Add Payment' process can be opened.
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to feature request 0039078 acknowledged Triage Platform Base make it possible to differentiate whether processes should be executable on non writable organizations 
Attached Filespng Screenshot from 2018-06-21 11-08-11.png (121,544) 2018-06-21 11:08
https://issues.openbravo.com/file_download.php?file_id=11878&type=bug
png
Issue History
Date ModifiedUsernameFieldChange
2018-06-21 11:08JONHMNew Issue
2018-06-21 11:08JONHMAssigned To => Triage Finance
2018-06-21 11:08JONHMFile Added: Screenshot from 2018-06-21 11-08-11.png
2018-06-21 11:08JONHMOBNetwork customer => Yes
2018-06-21 11:08JONHMModules => Core
2018-06-21 11:08JONHMSupport ticket => 2705
2018-06-21 11:08JONHMResolution time => 1531346400
2018-06-21 11:08JONHMTriggers an Emergency Pack => No
2018-06-22 08:46SandrahuguetAssigned ToTriage Finance => AtulOpenbravo
2018-07-02 16:07SandrahuguetAssigned ToAtulOpenbravo => platform
2018-07-25 12:09caristuReview Assigned To => caristu
2018-07-25 12:09caristuNote Added: 0105943
2018-07-25 12:09caristuStatusnew => closed
2018-07-25 12:15caristuAssigned Toplatform => jarmendariz
2018-07-25 12:15caristuStatusclosed => new
2018-07-25 12:15caristuNote Edited: 0105943bug_revision_view_page.php?bugnote_id=0105943#r17456
2018-07-25 12:17caristuNote Edited: 0105943bug_revision_view_page.php?bugnote_id=0105943#r17457
2018-07-30 09:39caristuReview Assigned Tocaristu =>
2018-08-01 13:34alostaleRelationship addedrelated to 0039078
2018-08-01 13:38alostaleNote Added: 0106084
2018-08-01 13:38alostaleStatusnew => closed
2018-08-01 13:38alostaleResolutionopen => no change required

Notes
(0105943)
caristu   
2018-07-25 12:09   
(edited on: 2018-07-25 12:17)
Note: currently processes can be secured in 3 ways:
    - Secured preference is set: explicit grant is required
    - Process is marked as requiresExplicitAccessPermission: explicit grant is required
    - None of the above: permission is inherited from window

Following the steps to reproduce the permissions for the processes are being inherited from the window (from the Sales Order window which the F&B España, S.A - Finance role has access to).
(0106084)
alostale   
2018-08-01 13:38   
Working as designed: in general there are processes that make sense to be executable for records in the natural tree of writable organizations. Even there are some processes that shouldn't allow it, there is no currently any way to differentiate them (reported separately by 0039078). Those processes that shouldn't allow execution for non-writable records should report an error when tried to be executed although they cannot be currently distinguished in the UI.