Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0057770Openbravo ERPA. Platformpublic2025-01-28 08:482025-02-03 11:19
ReporterAugustoMauch 
Assigned ToAugustoMauch 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionPR25Q1Fixed in VersionPR25Q1 
Merge Request Statusapproved
Review Assigned To
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0057770: Entity is not accesible by role, even when the role configuration should allow it
DescriptionDepending on how other roles are configured, it is possible that an automatic role, that should by default have access to all entities, will miss access to some.
Steps To Reproduce- Create a role called ManualTest.
- Set it as manual
- Create an entry in the Window Access subtab. Window: Sales order, Active: false

- Create another role called NonManualTest
- Make sure Manual=false
- Assign it to the usuario de Openbravo
- Logout

- Login as Openbravo
- Change role, use NonManualTest
- Open Sales Order. An error will be displayed when rendering rows for the Lines subtab:

org.openbravo.base.exception.OBSecurityException: Entity OrderLine is not accessible by this role/user: TestRoleNotAdvanced/Openbravo
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
blocks defect 0057769 closed AugustoMauch Entity is not accesible by role, even when the role configuration should allow it 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2025-01-28 08:50AugustoMauchTypedefect => backport
2025-01-28 08:50AugustoMauchTarget Version => PR25Q1
2025-01-29 08:56hgbotMerge Request Status => open
2025-01-29 08:56hgbotNote Added: 0174834
2025-01-29 10:19hgbotMerge Request Statusopen => approved
2025-02-03 11:19hgbotNote Added: 0175044
2025-02-03 11:19hgbotResolutionopen => fixed
2025-02-03 11:19hgbotStatusscheduled => closed
2025-02-03 11:19hgbotFixed in Version => PR25Q1
2025-02-03 11:19hgbotNote Added: 0175045

Notes
(0174834)
hgbot   
2025-01-29 08:56   
Merge Request created: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/merge_requests/1516 [^]
(0175044)
hgbot   
2025-02-03 11:19   
Merge request merged: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/merge_requests/1516 [^]
(0175045)
hgbot   
2025-02-03 11:19   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo [^]
Changeset: bccea0f4b357fe1951f62ddce3b69b6f034a7a5d
Author: Augusto Mauch <amauch@orisha.com>
Date: 29-01-2025 08:55:33
URL: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/commit/bccea0f4b357fe1951f62ddce3b69b6f034a7a5d [^]

Fixes ISSUE-57770: Table access for auto role is not properly checked

There was a problem in the query that was used to determine if an auto role was explicitly denied access
to a given table, in the getAutomaticTableAccess method. The problem was that the query wanted to check
that there are no disabled entries in ADWindowAccess for this role, but the role filter was missing in
the subquery. As a consequence, if a table was disabled for other roles, the configuration leaked to other
auto roles.

Also a change was done to getManualTableAccess to avoid granting access to tables, if the isActive property
in the header tab is false.

---
M src/org/openbravo/dal/security/EntityAccessChecker.java
---