Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0007709 | Openbravo ERP | 01. General setup | public | 2009-02-20 10:46 | 2009-04-22 00:00 |
|
| Reporter | roklenardic | |
| Assigned To | alostale | |
| Priority | high | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 20 | OS Version | Ubuntu 8.10 |
| Product Version | pi | |
| Target Version | | Fixed in Version | 2.50 | |
| Merge Request Status | |
| Review Assigned To | |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0007709: Alerts Multitenancy security issue |
| Description | Having several clients inside the database confuses the alerting feature which in turn shows alerts of all clients when logged in as admin of one particular one. |
| Steps To Reproduce | 1) Enter as Sys Admin and go to General Setup || Application || Alert and activate "Customers with exceeded credit" alert
2) Switch to Openbravo Admin and add Openbravo Admin role to the recipients of the alert above
3) go to General Setup || Process Scheduling || Process Request and enter a new record with Process=Alert Process, Timing=Schedule, Frequency=every n minutes, Interval in minutes=1
4) Save
5) click the Schedule Process button
6) Rename reference/importclient/BigBazaar.xml to reference/importclient/AnotherBazaar.xml
7) Switch to Sys Admin role and go to General Setup || Client || Import Client and enter "AnotherBazaar" and confirm. this will import a new client, AnotherBazaar identical to bigbazaar.
8) Switch to Openbravo Admin of the BigBazaar client and see how two alerts appear, both for the same Neil Reiley business partner being over credit, one from BigBazaar and one from another bazaar.
This is a security issue since Openbravo Admin from BigBazaar should not be seeing items from AnotherBazaar's data. |
| Proposed Solution | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2009-02-20 10:46 | roklenardic | New Issue | |
| 2009-02-20 10:46 | roklenardic | Assigned To | => rafaroda |
| 2009-02-20 10:46 | roklenardic | Regression testing | => No |
| 2009-02-20 10:58 | roklenardic | Note Added: 0013811 | |
| 2009-02-24 13:03 | rafaroda | Assigned To | rafaroda => anthony_wolski |
| 2009-02-24 13:03 | rafaroda | Priority | normal => high |
| 2009-02-24 13:03 | rafaroda | Status | new => scheduled |
| 2009-03-03 13:04 | anthony_wolski | Note Added: 0014299 | |
| 2009-03-03 13:04 | anthony_wolski | Status | scheduled => feedback |
| 2009-03-10 14:32 | roklenardic | Note Added: 0014551 | |
| 2009-03-16 11:09 | rafaroda | Assigned To | anthony_wolski => alostale |
| 2009-03-16 11:09 | rafaroda | Status | feedback => scheduled |
| 2009-03-17 16:42 | alostale | Note Added: 0014730 | |
| 2009-03-17 16:44 | hgbot | Checkin | |
| 2009-03-17 16:44 | hgbot | Note Added: 0014731 | |
| 2009-03-17 16:44 | hgbot | Status | scheduled => resolved |
| 2009-03-17 16:44 | hgbot | Resolution | open => fixed |
| 2009-03-17 16:44 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/f432462f35a0168d397ca536eefb7b84687cc92a [^] |
| 2009-04-21 10:33 | psarobe | Status | resolved => closed |
| 2009-04-22 00:00 | anonymous | sf_bug_id | 0 => 2777979 |
|
Notes |
|
|
|
|
Even if one switches to Sys Admin role, the Alert still appears which means there is also a Role security hole. |
|
|
|
|
|
I am unable to reproduce this bug. I am working on the pre-integration repository (which is now SmallBazaar) and have followed the steps outlined in steps to reproduce. There are 2 alerts in the database, obviously each with a different referencekey_id, and I can log in as Openbravo Admin for each of the clients (SmallBazaar and AnotherBazaar) and each one only has a single alert. |
|
|
|
|
In
rok@nautiloos:~/openbravoTrunk$ hg id
ac6d3962082a+ tip
revision of the devel/main I cannot even see the Alert Management window, I get:
14:22:43 [http-8180-6] ERROR org.openbravo.erpCommon.ad_forms.AlertManagement - Error captured: java.lang.ArrayIndexOutOfBoundsException: 1
On top of that, when trying to copy a client, it doesn't work either, I get
Error occurred
org.hibernate.exception.GenericJDBCException: Could not execute JDBC batch update
So I cannot even check again for this error. |
|
|
|
|
Just two comments on this issue:
-The example alerts are not properly managing client/organizations, this is going to be fixed.
-It is a known issue that as alerts are executing directly queries on database they can obtain data without any restriction, thus the person in charge of creating alerts must be trusted. This will be faces when moving alerts to dal. |
|
|
|
(0014731)
|
|
hgbot
|
|
2009-03-17 16:44
|
|
|