(0149141)
|
hgbot
|
2023-05-02 15:41
|
|
Directly closing issue as related merge request is already approved.
Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 8f7a420b9e80866a0dc9e04bf612ad73e4faf78e
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 02-05-2023 15:39:19
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/8f7a420b9e80866a0dc9e04bf612ad73e4faf78e [^]
Fixes ISSUE-52172: Only SYSTEM role should have access to SYSTEM widgets
Adds a check to ensure that if the level provided when doing a request to obtain widget information is SYSTEM,
the user requesting that information is currently using the SYSTEM role.
Note that the frontend was already ensuring this by making the SYSTEM level available only to SYSTEM roles, but
because no check was being done in the backend it was possible to create a manual request to take advantage of this
vulnerability
---
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java
---
|
|