Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0052172Openbravo ERPA. Platformpublic2023-04-19 17:132023-05-02 15:41
ReporterAugustoMauch 
Assigned ToAugustoMauch 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionPR23Q2Fixed in VersionPR23Q2 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0052172: Review widget access
Description-
Steps To Reproduce-
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
blocks defect 0052171 closed AugustoMauch Review widget access 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2023-04-19 17:13AugustoMauchTypedefect => backport
2023-04-19 17:13AugustoMauchTarget Version => PR23Q2
2023-05-02 15:39hgbotNote Added: 0149140
2023-05-02 15:41hgbotResolutionopen => fixed
2023-05-02 15:41hgbotStatusscheduled => closed
2023-05-02 15:41hgbotFixed in Version => PR23Q2
2023-05-02 15:41hgbotNote Added: 0149141
2023-05-02 15:41hgbotNote Added: 0149142

Notes
(0149140)
hgbot   
2023-05-02 15:39   
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/871 [^]
(0149141)
hgbot   
2023-05-02 15:41   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 8f7a420b9e80866a0dc9e04bf612ad73e4faf78e
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 02-05-2023 15:39:19
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/8f7a420b9e80866a0dc9e04bf612ad73e4faf78e [^]

Fixes ISSUE-52172: Only SYSTEM role should have access to SYSTEM widgets

Adds a check to ensure that if the level provided when doing a request to obtain widget information is SYSTEM,
the user requesting that information is currently using the SYSTEM role.

Note that the frontend was already ensuring this by making the SYSTEM level available only to SYSTEM roles, but
because no check was being done in the backend it was possible to create a manual request to take advantage of this
vulnerability

---
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java
---
(0149142)
hgbot   
2023-05-02 15:41   
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/871 [^]