0057255: A user with a not Manual role can access, edit and create transactions in any organization

Openbravo Issue Tracking System - Openbravo ERP

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0057255

Openbravo ERP

C. Security

public

2024-10-03 09:07

2024-11-22 11:13

Reporter

eduardo_Argal

Assigned To

Triage Platform Base

Priority

immediate

Severity

major

Reproducibility

always

Status

scheduled

Resolution

open

Platform

OS Version

Product Version

Target Version

PR24Q4

Fixed in Version

Merge Request Status

Review Assigned To

OBNetwork customer

Web browser

Modules

Core

Support ticket

Regression level

Production - Confirmed Stable

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0057255: A user with a not Manual role can access, edit and create transactions in any organization

Description

A user with a not Manual role can access, edit and create transactions in any organization even if the organization access is limited to one store.

Steps To Reproduce

1) Log as Orhi Store User
2) Go to Purchase Order Window
3) Create a new record
4) Mind that the organization combo displays the full list of organization when it should just display the organizations defined in the Org Access tab for his/her role
5) change the configuration for the role to Manual
6) Repeat the steps and mind that now the organizatiuon combo works properly

Proposed Solution

Check previous behavior:
- How is the org access provided? Only on role creation? On update as well?

Check workaround:
- Ensure that disabling the role_org record works as expected

Additional Information