Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0054207Openbravo ERPA. Platformpublic2023-12-22 16:172023-12-27 14:49
Reportercaristu 
Assigned ToTriage Platform Base 
PriorityhighSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in VersionPR24Q1 
Merge Request Statusapproved
Review Assigned To
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date2023-10-04
Regression introduced in releasepi
Regression introduced by commithttps://gitlab.com/openbravo/product/openbravo/-/commit/c4e47a6e93227939e01245ebfc44072f61c86c3c [^]
Triggers an Emergency PackNo
Summary0054207: Cannot execute JSON WS request with roles without access to the GCSystem entity
DescriptionThere is an special case where executing WS requests to the standard JSON web services fail if the execution is done by a user whose default role has not read access to the GCSystem entity
Steps To Reproduce1- Login in Openbravo
2- Switch to use the role "Group - Admin" of The White Valley Group and set it as default role for this user. Note that this user does not have read access to the GCSystem entity
3- Restart Tomcat. This important as this way in the next step we ensure that the first request is done with a role that cannot access to the GCSystem entity
4- Make a GET request to any of the standard WS requests for example: http://localhost:8080/openbravo/org.openbravo.service.json.jsonrest/Country [^]
5- The request fails and the response shows the following error:

{"response":{"data":[{"response":{"status":-1,"error":{"message":"OBUIAPP_ActionNotAllowed","type":"user"},"totalRows":0}}

The following stack trace is shown in the log:

org.openbravo.base.exception.OBSecurityException: Entity OBUIAPP_GC_System is not readable by the user 100
    at org.openbravo.dal.security.EntityAccessChecker.checkReadable(EntityAccessChecker.java:639) ~[classes/:?]
    at org.openbravo.dal.service.OBDal.checkReadAccess(OBDal.java:749) ~[classes/:?]
    at org.openbravo.dal.service.OBDal.checkReadAccess(OBDal.java:736) ~[classes/:?]
    at org.openbravo.dal.service.OBDal.createCriteria(OBDal.java:572) ~[classes/:?]
    at org.openbravo.client.application.window.StandardWindowComponent.getSystemGridConfig(StandardWindowComponent.java:195) ~[classes/:?]
    at org.openbravo.base.GridConfigurationCache.initializeSystemConfig(GridConfigurationCache.java:74) ~[classes/:?]
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
caused by feature request 0053358 closed jarmendariz Configurable Organization Time Zone 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2023-12-22 16:17caristuNew Issue
2023-12-22 16:17caristuAssigned To => Triage Platform Base
2023-12-22 16:17caristuOBNetwork customer => No
2023-12-22 16:17caristuModules => Core
2023-12-22 16:17caristuTriggers an Emergency Pack => No
2023-12-22 16:18caristuRegression date => 2023-10-04
2023-12-22 16:18caristuRegression introduced by commit => https://gitlab.com/openbravo/product/openbravo/-/commit/c4e47a6e93227939e01245ebfc44072f61c86c3c [^]
2023-12-22 16:18caristuRelationship addedcaused by 0053358
2023-12-22 16:19caristuSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=27267#r27267
2023-12-22 16:20caristuRegression introduced in release => pi
2023-12-22 16:20caristuSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=27268#r27268
2023-12-22 16:28hgbotMerge Request Status => open
2023-12-22 16:28hgbotNote Added: 0158554
2023-12-27 14:49hgbotMerge Request Statusopen => approved
2023-12-27 14:49hgbotNote Added: 0158652
2023-12-27 14:49hgbotResolutionopen => fixed
2023-12-27 14:49hgbotStatusnew => closed
2023-12-27 14:49hgbotFixed in Version => PR24Q1
2023-12-27 14:49hgbotNote Added: 0158653

Notes
(0158554)
hgbot   
2023-12-22 16:28   
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1086 [^]
(0158652)
hgbot   
2023-12-27 14:49   
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1086 [^]
(0158653)
hgbot   
2023-12-27 14:49   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 6741d497ee60627a66f3d77f95d2fe4c081c8f8a
Author: Carlos Aristu <carlos.aristu@openbravo.com>
Date: 27-12-2023 12:06:34
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/6741d497ee60627a66f3d77f95d2fe4c081c8f8a [^]

fixes BUG-54207: JSON WS request mail fail if the user cannot access to GCSystem

  When fetching data through a JSON WS request, the grid configuration
information is initialized on the first request. If this request is done
by a user whose default role has not read access to the grid
configuration tables, then the request fails with an
OBSecurityException.

  To fix this problem we now ensure that this information is always read
in admin mode.

---
M src/org/openbravo/base/GridConfigurationCache.java
---