Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0006985Openbravo ERPC. Securitypublic2009-01-19 12:112009-10-30 11:58
joan 
iciordia 
urgentcriticalalways
closedno change required 
5
2.40 
 
Core
No
0006985: User can access restricted info without access rights
When you create a new role as manual, and you allow access to the window product, the user can see the associated reports on Information seccion of the menu. He can access in there to the Product Information window that shows prices.

The problem is when you restrict access to the tables M_pricelist, m_pricelist_version, m_product_po, m_productprice, the User with the new role can still see the Product Information window in the Information menĂº.

This is really a big problem because if you can't limit this view then you really can't limit the view of a user.
Create a new role called newrole and set it as manual.
Save it.
Insert access to the org.
Insert access to the window Product
Assign this role to a user A
--
Go to the Role Access table and limit to the role newrole the next tables
m_product_po
m_productprice
m_pricelist
m_pricelistversion

--

Now you change the user to A with role newrole
Go to the product window
go to to the price tab. It gives you a restricted access error (This is OK)

Go to the information ->Product menu.
It should not appear this menu or at least the prices shouldn't be shown.
ReleaseCandidate
Issue History
2009-01-19 12:11joanNew Issue
2009-01-19 12:11joanAssigned To => rafaroda
2009-01-19 12:11joansf_bug_id0 => 2519459
2009-01-19 12:12joanNote Added: 0012320
2009-01-19 12:49joanNote Added: 0012323
2009-01-19 13:00psarobeNote Added: 0012324
2009-01-19 13:00psarobeversion => 2.40
2009-01-19 13:15joanNote Added: 0012326
2009-01-20 08:29pjuvaraPrioritynormal => urgent
2009-01-20 08:30pjuvaraIssue Monitored: pjuvara
2009-01-20 11:01psarobeNote Added: 0012378
2009-01-20 12:15joanNote Added: 0012387
2009-01-26 07:17pjuvaraNote Added: 0012609
2009-01-26 07:18pjuvaraIssue Monitored: psarobe
2009-01-26 07:18pjuvaraNote Added: 0012610
2009-01-28 18:26psarobeNote Added: 0012769
2009-01-28 18:26psarobeTypedefect => feature request
2009-01-29 11:05rafarodaAssigned Torafaroda => pjuvara
2009-01-30 14:04joanNote Added: 0012902
2009-02-02 06:35pjuvaraStatusnew => acknowledged
2009-02-02 06:35pjuvaraTag Attached: ReleaseCandidate
2009-05-22 19:36pjuvaraAssigned Topjuvara => iciordia
2009-09-02 13:27rafarodaNote Added: 0019419
2009-10-29 18:14joanNote Added: 0021476
2009-10-29 18:16joanNote Edited: 0021476
2009-10-30 11:38iciordiaStatusacknowledged => scheduled
2009-10-30 11:38iciordiaNote Added: 0021486
2009-10-30 11:38iciordiafix_in_branch => pi
2009-10-30 11:58iciordiaStatusscheduled => closed
2009-10-30 11:58iciordiaNote Added: 0021487
2009-10-30 11:58iciordiaResolutionopen => no change required

Notes
(0012320)
joan   
2009-01-19 12:12   
I use the Openbravo 2.40 version on debian etch, with postgresql 8.3
(0012323)
joan   
2009-01-19 12:49   
Also a collateral problem of this is the next one.

If you Allow access to a product window and you restrict access to the table c_bpartner, the user can still see all your vendor and customers. Also if you restrict access to ad_reference still the problem remains.

Should be a restricted access to reference by role or at least all the references should check if there are restricted tables assigned to them.
(0012324)
psarobe   
2009-01-19 13:00   
Hi Joan,

Please use the combo product version for entering the version instead of adding a note.

Thank again for your feedback

Regards
(0012326)
joan   
2009-01-19 13:15   
Sorry, I've realized just after click the send button. And I could'nt change it after it. Thats why I've added a note
(0012378)
psarobe   
2009-01-20 11:01   
Hi Joan,

Sorry but I don't understand you when you say "Also if you restrict access to ad_reference still the problem remains" and also when you say "you can still see all your vendor and customers". Can you please provide the steps for this example?

Thanks
(0012387)
joan   
2009-01-20 12:15   
Sure Psarobe :),

When I say "you can still see all your vendor and customer" I mean that If you go to the product window, and you press over the "Business Partner" field and press enter, then it shows a popup that you can see all the business partners(vendors, customers), and if you restrict the access to the table c_bpartner, still you can see in that popup the vendors, and customers. (Of course I dont want that user to see that info, thats why i've excluded the access)

About the ad_reference thing, I was thinking that if after the steps before, I exclude the access to the ad_reference table, then maybe the different references will not show up, thats why i say that, but obviously this is not happening how I've expected.

The steps for this are:
(continuing after the Steps To Reproduce the issue)
Still being the role A
Go to the product window again
Press the button Business Partner
A popup is showed
See that you can see the different B.Partners (vendors, customers)
Change the role to the Admin
Go to the role access window , and insert new restrictions on the role A
restrict access to c_bpartner table (set exclude)
restrict access to ad_references table (set exclude)

Change again to role A
Go to the product window
Press the button Business Partner
A popup is showed
See that you can see the different B.Partners (vendors, customers) (I think you shouldn't because it is restricted the access to the table)
(0012609)
pjuvara   
2009-01-26 07:17   
Reminder sent to: rafaroda

Pablo, Rafa,

how do we proceed on this security issue?

Thanks,

Paolo
(0012610)
pjuvara   
2009-01-26 07:18   
Reminder sent to: psarobe

Pablo, Rafa,

how do we proceed on this security issue?

Thanks,

Paolo
(0012769)
psarobe   
2009-01-28 18:26   
Hi Joan

The "role access" tab within the table window is to reject access to a specific table, so users are not allowed to see tabs linked to that table. For example, if a role is allowed to access Product Window but it is rejected to Price table then that role won't be able to access to the price tab within Product window. Selectors follow a different model. You can open/use a selector if you have access to a window where that selector is used. So if a role has granted access to sales order -where product selector is used- then that role will see the product selector from application menu.

But we are going to change this issue as a feature request to take into account all your comments and improve the security model

thanks
(0012902)
joan   
2009-01-30 14:04   
Well,

I still believe that this is a security problem.

I have some possible solutions.

a) Create an access table by role on selectors, if you dont have access to this selector you can't see it. And the selector in all the pages comes to a normal text-field.

b) Try to unify the security model. Try to only show on selector the data that you have access to the table. If you dont have access to the price table, you can't see the price, but you see the name of the product(if you have the access to the m_product table)

c) Allow to disable the Information Menu entry at least to hide a little more to the users the selectors.
(0019419)
rafaroda   
2009-09-02 13:27   
According to http://wiki.openbravo.com/wiki/Bug_Reporting_Guidelines#How_to_Choose_the_Right_Severity [^] feature requests should not have Severity Critical.

If there no reason why they are Critical please down their priority to Major:
    * New functionality that would significantly increase the user base of the product.
    * Usability improvements.

Thanks.
(0021476)
joan   
2009-10-29 18:14   
(edited on: 2009-10-29 18:16)
Critical:
* Production system is severely impacted

I really think this could show private data outside of the user role that belongs. So im not sure but, I think it must be critical.

Anyway , I know that there is a posible workaround for it, that is creating a copy of the window without the data affected, but this is not clear.

(0021486)
iciordia   
2009-10-30 11:38   
Changing to status scheduled
(0021487)
iciordia   
2009-10-30 11:58   
Joan,

let me explain the reasons I decide to reject this issue:
-In your example below you want role A to be able to edit products but that role should not be able to see business partners
-When editing products users need to choose the business partner associated to the product (by the way, this is a very uncommon requirement so you could just remove this field if it is not needed to solve your issue)
-But if this is needed there is no way to allow choosing without allowing see the list of business partners
-If the information shown in the business partner selector is more than you would like to show you can easily change the reference for that column to a drop-down list where only name is shown or create your own business partner selector with the information you think is appropiate
-If the role does not need to edit products you can change priveleges to read only, so the business partner selector is not enabled

Finally, openbravo plans to review its security model in line with your suggested approach to improve the ease of security administration and consistency. But current security model allows you to run production environments with very granular security configuration and without critical restrictions. Please let me know what is your requirement and I will guide you to proper configuration.

Thanks,

Ismael