Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0004612Openbravo ERPA. Platformpublic2008-08-12 17:472009-02-18 14:13
Reporterroklenardic 
Assigned Toshuehner 
PrioritylowSeverityminorReproducibilityalways
StatusclosedResolutionno change required 
PlatformOS20OS VersionUbuntu 8.04
Product Version2.40alpha-r3 
Target VersionFixed in Version 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0004612: #AD_Client_ID versus #User_Client session variables
DescriptionI cannot see the difference between the above two session variables. I found exactly one occurence for setting either of them and they are both set in the
        
  fillSessionArguments method of the LoginUtils.java
        
                // Set session vars
                vars.setSessionValue("#AD_User_ID", strUserAuth);
                vars.setSessionValue("#SalesRep_ID", strUserAuth);
                vars.setSessionValue("#AD_Language", strLanguage);
                vars.setSessionValue("#AD_Role_ID", strRol);
                vars.setSessionValue("#AD_Client_ID", strCliente);
                vars.setSessionValue("#AD_Org_ID", strOrg);
                vars.setSessionValue("#M_Warehouse_ID", strAlmacen);
        ...
                try {
                  SeguridadData[] data = SeguridadData.select(conn, strRol, strUserAuth);
                  if (data==null || data.length==0) return false;
                  vars.setSessionValue("#User_Level", data[0].userlevel);
                  vars.setSessionValue("#User_Client", data[0].clientlist);
        ...
        
  and the Seguridad_data.xsql specifies this for the select statement
        <SqlClass name="SeguridadData" package="org.openbravo.base.secureApp">
           <SqlClassComment></SqlClassComment>
           <SqlMethod name="select" type="preparedStatement" return="multiple">
              <SqlMethodComment></SqlMethodComment>
              <Sql><![CDATA[
                SELECT r.UserLevel,r.ClientList,r.OrgList,r.C_Currency_ID,r.AmtApproval,
                r.AD_Client_ID, c.NAME, u.C_BPARTNER_ID, c.VALUE, c.SMTPHOST
                FROM AD_ROLE r, AD_CLIENT c, AD_USER u,
                AD_USER_ROLES ur
                WHERE r.AD_Role_ID = to_number(?)
                AND ur.AD_USER_ID = to_number(?)
                AND r.AD_CLIENT_ID = c.AD_CLIENT_ID
                AND r.IsActive='Y' AND c.IsActive='Y'
                AND r.AD_ROLE_ID = ur.AD_ROLE_ID
                AND ur.AD_USER_ID = u.AD_USER_ID
              ]]></Sql>
        
        
 Basically, as far as i see, the #AD_Client_ID could technically be set to anything if there is a hacked HTTP POST, whereas #User_Client will for sure be set according to the user privileges set inside the database.
        
 However, I can't see any normal circumstance that these two session variables would ever be different, is there? If that is the case, we should then join them into one and make sure the privileges still remain verified through the database, not only use the posted value.
Steps To Reproduce
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to feature request 0007627 new Triage Platform Base Clarify if one role can have access to multiple clients. 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2008-08-12 17:47roklenardicNew Issue
2008-08-12 17:47roklenardicAssigned To => cromero
2008-08-12 17:47roklenardicsf_bug_id0 => 2048144
2008-08-12 17:47roklenardicRegression testing => No
2008-08-18 10:14psarobeAssigned Tocromero => alostale
2008-08-18 10:14psarobePrioritynormal => low
2008-08-18 10:14psarobeStatusnew => scheduled
2008-12-10 09:58alostaleAssigned Toalostale => iperdomo
2009-01-23 17:16iperdomoAssigned Toiperdomo => shuehner
2009-02-18 13:45shuehnerNote Added: 0013652
2009-02-18 13:45shuehnerStatusscheduled => feedback
2009-02-18 14:09shuehnerRelationship addedrelated to 0007627
2009-02-18 14:13shuehnerStatusfeedback => closed
2009-02-18 14:13shuehnerNote Added: 0013657
2009-02-18 14:13shuehnerResolutionopen => no change required

Notes
(0013652)
shuehner   
2009-02-18 13:45   
I did check the usage of the two mentioned session values:
The #User_Client is semantically the list of accessable client for the selected role. The code is prepared to handle several accessable client per role, but currently this seems not be possible to setup in the ui. This value (which is not coming from the request data is used for the security validation of entries.

The #AD_Client_ID is taken from the request and is semantically the currently selected client (out of the #User_CLient list). This can be changed into any value by a forged request, however in LoginUtils the value for the selected client is already validated against the clientlist value (#User_Client) so that injection of arbitrary ad_client_id values is prohibited (see function call to ClientComboData.isRoleClient).
(0013657)
shuehner   
2009-02-18 14:13   
The possible security issue was checked and the code in question does validate the user input properly.

The question if a single role can have access to multiple clients has been spun-off into the featuer request 7627.