Openbravo Issue Tracking System - Openbravo ERP | |||||||||||||||||||
| View Issue Details | |||||||||||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||||||||
| 0007374 | Openbravo ERP | C. Security | public | 2009-02-05 06:42 | 2009-05-22 19:36 | ||||||||||||||
| Reporter | pjuvara | ||||||||||||||||||
| Assigned To | iciordia | ||||||||||||||||||
| Priority | normal | Severity | minor | Reproducibility | always | ||||||||||||||
| Status | acknowledged | Resolution | open | ||||||||||||||||
| Platform | OS | 5 | OS Version | ||||||||||||||||
| Product Version | 2.40 | ||||||||||||||||||
| Target Version | Fixed in Version | ||||||||||||||||||
| Merge Request Status | |||||||||||||||||||
| Review Assigned To | |||||||||||||||||||
| OBNetwork customer | |||||||||||||||||||
| Web browser | |||||||||||||||||||
| Modules | Core | ||||||||||||||||||
| Support ticket | |||||||||||||||||||
| Regression level | |||||||||||||||||||
| Regression date | |||||||||||||||||||
| Regression introduced in release | |||||||||||||||||||
| Regression introduced by commit | |||||||||||||||||||
| Triggers an Emergency Pack | No | ||||||||||||||||||
| Summary | 0007374: Secure records so that only user who created them can view them | ||||||||||||||||||
| Description | You should be able to declare in AD that in a particular window only the user who created the records is able to see them. This behavior is for instance needed in the requistion flow where only the employee who created a requisition and the purchasing agent should be able to see them. We have resolved this requirement in 2.40 with a workaround: we duplicated the window and added a custom where clause to enforce security. This implementation however is not fully correct has it creates redundant code and it is confusing. See issues 7311 and 4716 for more details. Another example of this need is in the Employee Appraisal module about to be published on top of 2.50. In that case, only the manager who created the appraisal, her management chain and the HR manager are able to see records. In that case, there is an additional twist as the manager is able to share the appraisal with the employee, so depending on the record status other users are also able to see the record. | ||||||||||||||||||
| Steps To Reproduce | |||||||||||||||||||
| Proposed Solution | In order to avoid duplications, we should allow to specify a custom filter in the role - window association. This custom filter is applied in addition to the standard organization based security. | ||||||||||||||||||
| Additional Information | |||||||||||||||||||
| Tags | ReleaseCandidate | ||||||||||||||||||
| Relationships |
| ||||||||||||||||||
| Attached Files | |||||||||||||||||||
| Issue History | |||||||||||||||||||
| Date Modified | Username | Field | Change | ||||||||||||||||
| 2009-02-05 06:42 | pjuvara | New Issue | |||||||||||||||||
| 2009-02-05 06:42 | pjuvara | Assigned To | => pjuvara | ||||||||||||||||
| 2009-02-05 06:42 | pjuvara | sf_bug_id | 0 => 2566916 | ||||||||||||||||
| 2009-02-05 06:42 | pjuvara | Regression testing | => No | ||||||||||||||||
| 2009-02-05 06:43 | pjuvara | Relationship added | related to 0007311 | ||||||||||||||||
| 2009-02-05 06:43 | pjuvara | Relationship added | related to 0004716 | ||||||||||||||||
| 2009-02-05 06:43 | pjuvara | Status | new => acknowledged | ||||||||||||||||
| 2009-02-05 06:43 | pjuvara | Tag Attached: ReleaseCandidate | |||||||||||||||||
| 2009-05-22 19:36 | pjuvara | Assigned To | pjuvara => iciordia | ||||||||||||||||
| There are no notes attached to this issue. |