Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0052171Openbravo ERPA. Platformpublic2023-04-19 17:132023-04-20 07:29
ReporterAugustoMauch 
Assigned ToAugustoMauch 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in VersionPR23Q3 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0052171: Review widget access
DescriptionSee https://docs.google.com/document/d/1UAYQeQTH3hIa6HD_lIjCAReFSDMYHthI9NAkd7Qt0Ww/edit# [^]
Steps To Reproduce-
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
depends on backport 0052172PR23Q2 closed AugustoMauch Review widget access 
depends on backport 0052173PR23Q1.2 closed AugustoMauch Review widget access 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2023-04-19 17:13AugustoMauchNew Issue
2023-04-19 17:13AugustoMauchAssigned To => AugustoMauch
2023-04-19 17:13AugustoMauchModules => Core
2023-04-19 17:13AugustoMauchTriggers an Emergency Pack => No
2023-04-19 17:13AugustoMauchStatusnew => scheduled
2023-04-19 17:21AugustoMauchDescription Updatedbug_revision_view_page.php?rev_id=25911#r25911
2023-04-19 17:24hgbotNote Added: 0148608
2023-04-20 07:29hgbotResolutionopen => fixed
2023-04-20 07:29hgbotStatusscheduled => closed
2023-04-20 07:29hgbotNote Added: 0148615
2023-04-20 07:29hgbotFixed in Version => PR23Q3
2023-04-20 07:29hgbotNote Added: 0148616

Notes
(0148608)
hgbot   
2023-04-19 17:24   
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/859 [^]
(0148615)
hgbot   
2023-04-20 07:29   
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/859 [^]
(0148616)
hgbot   
2023-04-20 07:29   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 60a083134d5ff337513f22b8e7b52b55a9ed656e
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 20-04-2023 05:28:45
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/60a083134d5ff337513f22b8e7b52b55a9ed656e [^]

Fixes ISSUE-52171: Only SYSTEM role should have access to SYSTEM widgets

Adds a check to ensure that if the level provided when doing a request to obtain widget information is SYSTEM,
the user requesting that information is currently using the SYSTEM role.

Note that the frontend was already ensuring this by making the SYSTEM level available only to SYSTEM roles, but
because no check was being done in the backend it was possible to create a manual request to take advantage of this
vulnerability

---
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java
---