(0149139)
|
hgbot
|
2023-05-02 15:38
|
|
Directly closing issue as related merge request is already approved.
Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: d3cee6da6ef092a29e91375fe886ed493b9c92cb
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 02-05-2023 15:37:49
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/d3cee6da6ef092a29e91375fe886ed493b9c92cb [^]
Fixes ISSUE-52173: Only SYSTEM role should have access to SYSTEM widgets
Adds a check to ensure that if the level provided when doing a request to obtain widget information is SYSTEM,
the user requesting that information is currently using the SYSTEM role.
Note that the frontend was already ensuring this by making the SYSTEM level available only to SYSTEM roles, but
because no check was being done in the backend it was possible to create a manual request to take advantage of this
vulnerability
---
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java
---
|
|