Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0052173Openbravo ERPA. Platformpublic2023-04-19 17:132023-05-02 15:38
ReporterAugustoMauch 
Assigned ToAugustoMauch 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionPR23Q1.2Fixed in VersionPR23Q1.2 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0052173: Review widget access
Description-
Steps To Reproduce-
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
blocks defect 0052171 closed AugustoMauch Review widget access 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2023-04-19 17:13AugustoMauchTypedefect => backport
2023-04-19 17:13AugustoMauchTarget Version => PR23Q1.2
2023-05-02 15:38hgbotNote Added: 0149137
2023-05-02 15:38hgbotNote Added: 0149138
2023-05-02 15:38hgbotResolutionopen => fixed
2023-05-02 15:38hgbotStatusscheduled => closed
2023-05-02 15:38hgbotFixed in Version => PR23Q1.2
2023-05-02 15:38hgbotNote Added: 0149139

Notes
(0149137)
hgbot   
2023-05-02 15:38   
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/870 [^]
(0149138)
hgbot   
2023-05-02 15:38   
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/870 [^]
(0149139)
hgbot   
2023-05-02 15:38   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: d3cee6da6ef092a29e91375fe886ed493b9c92cb
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 02-05-2023 15:37:49
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/d3cee6da6ef092a29e91375fe886ed493b9c92cb [^]

Fixes ISSUE-52173: Only SYSTEM role should have access to SYSTEM widgets

Adds a check to ensure that if the level provided when doing a request to obtain widget information is SYSTEM,
the user requesting that information is currently using the SYSTEM role.

Note that the frontend was already ensuring this by making the SYSTEM level available only to SYSTEM roles, but
because no check was being done in the backend it was possible to create a manual request to take advantage of this
vulnerability

---
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java
---