Project:
View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | ||||||||
0030735 | ||||||||
Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
defect | [Openbravo ERP] 02. Master data management | major | always | 2015-09-02 10:50 | 2015-09-11 06:33 | |||
Reporter | malsasua | View Status | public | |||||
Assigned To | AtulOpenbravo | |||||||
Priority | normal | Resolution | fixed | Fixed in Version | ||||
Status | closed | Fix in branch | Fixed in SCM revision | 13211c4cc0a0 | ||||
Projection | none | ETA | none | Target Version | ||||
OS | Linux 32 bit | Database | PostgreSQL | Java version | 1.6.0_18 | |||
OS Version | Community Appliance | Database version | 8.3.9 | Ant version | 1.7.1 | |||
Product Version | 3.0PR15Q3 | SCM revision | ||||||
Review Assigned To | vmromanos | |||||||
Web browser | ||||||||
Modules | Core | |||||||
Regression level | ||||||||
Regression date | ||||||||
Regression introduced in release | ||||||||
Regression introduced by commit | ||||||||
Triggers an Emergency Pack | No | |||||||
Summary | 0030735: All price lists are displayed without check the organization role | |||||||
Description | in the window "product" tab pricelist, in some cases, all pricelists are displayed in the combo, although the role has not permission to all pricelist organizations | |||||||
Steps To Reproduce | . create pricelist as attachment: pl1.png . create pricelist as attachment: pl2.png . create role as attachment: roleOrgAccess.png and roleUser.png . login in the ERP using the role "regionNorte" . go to window product -> tab pricelist . open the pricelist combo: all pricelist are displayed, but only should be displayed regionNorte - plv | |||||||
Proposed Solution | the problem is in the callout SL_ProductPrice_PriceListVersion, it is returned in the line 66 false, and it should return true: https://code.openbravo.com/erp/devel/pi/file/5a14852fac16/src/org/openbravo/erpCommon/ad_callouts/SL_ProductPrice_PriceListVersion.java#l66 [^] | |||||||
Tags | No tags attached. | |||||||
Attached Files | pl1.png [^] (112,491 bytes) 2015-09-02 10:54
pl2.png [^] (107,724 bytes) 2015-09-02 10:54 roleOrgAccess.png [^] (121,426 bytes) 2015-09-02 10:54 roleUser.png [^] (122,574 bytes) 2015-09-02 10:54 | |||||||
Relationships [ Relation Graph ] [ Dependency Graph ] | ||||||||||||||||||||||
|
Notes | |
(0080107) vmromanos (manager) 2015-09-04 12:36 edited on: 2015-09-10 09:51 |
Proposed solution: 1. Implement a validation rule in the M_PriceList_Version_ID column to see the records belonging the authorized orgs depending on the context role. (You can take as an example 'AD_Org of logged Role' validation rule) Please verify that this new validation rule works fine for all the fields (in different windows) linked to this column. 2. Set this callout as deprecated (we don't delete it to avoid an API change) |
(0080236) AtulOpenbravo (developer) 2015-09-08 08:52 |
Test Plan - Login as F&B International Group Admin. - Create pricelist as attachment: pl1.png - Create pricelist as attachment: pl2.png - Create role as attachment: roleOrgAccess.png and roleUser.png - Logout and login using the role "regionNorte" - Go to window product -> tab pricelist - Open the pricelist selector list, check that not all pricelist are displayed, but only displayed is regionNorte - plv. |
(0080243) vmromanos (manager) 2015-09-08 12:32 edited on: 2015-09-08 16:56 |
Test plan II: Create a role with access to Norte and Sur organizations similar to the previous one. Go to Product | Price Create a new record for Agua sin Gas 1L Verify you can select either Norte or Sur price list versions created before Please note that if the role is defined with User Level = "Organization", this scenario is not working fine. It will be automatically fixed with 0030797 |
(0080273) hgbot (developer) 2015-09-09 11:20 |
Repository: erp/devel/pi Changeset: 33b4685cb8aee0a367b42741ecaf207c5b602597 Author: Atul Gaware <atul.gaware <at> openbravo.com> Date: Tue Sep 08 10:27:21 2015 +0530 URL: http://code.openbravo.com/erp/devel/pi/rev/33b4685cb8aee0a367b42741ecaf207c5b602597 [^] Fixes Issue 30735:All price lists are displayed without organization role access check. Validation is provided to check the organization of price list being loaded is accessible by Role of logged in user. SL_ProductPrice_PriceListVersion is deprecated as is not required and also unlinked from the column. --- M src-db/database/sourcedata/AD_COLUMN.xml M src-db/database/sourcedata/AD_VAL_RULE.xml M src/org/openbravo/erpCommon/ad_callouts/SL_ProductPrice_PriceListVersion.java --- |
(0080274) hgbot (developer) 2015-09-09 11:20 |
Repository: erp/devel/pi Changeset: 7d592e7f797fadd672708877241eda75ec953cdf Author: Víctor Martínez Romanos <victor.martinez <at> openbravo.com> Date: Tue Sep 08 19:05:27 2015 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/7d592e7f797fadd672708877241eda75ec953cdf [^] Fixed bug 30735: code review improvements Rewritten validation rule to be generic, so we can use it for any record (not only Price List Versions). In case the role's user level is Client or Client+Organization, the validation also displays PLV for * organization even in the case the * organization is not in the list of the Role's Organizations. This is the way it works for normal WAD windows (like Price List). Removed code related to user level = System, as this is not used by the finance flows --- M src-db/database/sourcedata/AD_VAL_RULE.xml --- |
(0080275) vmromanos (manager) 2015-09-09 11:21 |
Code review + testing OK |
(0080298) hudsonbot (developer) 2015-09-09 23:11 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/35a1eec70785 [^] Maturity status: Test |
(0080299) hudsonbot (developer) 2015-09-09 23:11 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/35a1eec70785 [^] Maturity status: Test |
(0080310) vmromanos (manager) 2015-09-10 10:02 |
Reopened: The callout might have sense in same scenarios with complex organization setup. It ensures the organization of the new Product Price is the same as the Price List Version if the role has write access to it. Besides we will fix the following line as the indexOf() may return 0 when the record is found: hasAccessTo = role.getOrganizationList().indexOf(plv.getOrganization().getId()) > 0; |
(0080313) hgbot (developer) 2015-09-10 11:43 |
Repository: erp/devel/pi Changeset: 13211c4cc0a0029cb8643259cfbe3bd1e2ed215b Author: Víctor Martínez Romanos <victor.martinez <at> openbravo.com> Date: Thu Sep 10 11:39:20 2015 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/13211c4cc0a0029cb8643259cfbe3bd1e2ed215b [^] Fixed bug 30735: SL_ProductPrice_PriceListVersion is back with improvements The SL_ProductPrice_PriceListVersion callout has been associated again to the Price List Version column. This callout sets the Product Price's Organization equal to the Price List Version's Organization only in the case the current role has write access to the PLV's Organization. Besides, this callout has been improved: + Run in admin mode + The validation to know whether it was a valid organization was wrong, because the indexOf() may also return 0 when a record is found. Besides using indexOf() to run this validation could be wrong when the Price List version is defined for * organization (since any of the organization's UUID in the role might contain a 0). So this validation has been completely rewritten using StringTokenizer. + Finally, in case the role is defined for Client or Client+Organization user level, we force to include * in the list of valid organizations. --- M src-db/database/sourcedata/AD_COLUMN.xml M src/org/openbravo/erpCommon/ad_callouts/SL_ProductPrice_PriceListVersion.java --- |
(0080324) hudsonbot (developer) 2015-09-11 06:33 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/2828f6cbe752 [^] Maturity status: Test |
Issue History | |||
Date Modified | Username | Field | Change |
2015-09-02 10:50 | malsasua | New Issue | |
2015-09-02 10:50 | malsasua | Assigned To | => Triage Finance |
2015-09-02 10:50 | malsasua | Modules | => Core |
2015-09-02 10:50 | malsasua | Resolution time | => 1442700000 |
2015-09-02 10:50 | malsasua | Triggers an Emergency Pack | => No |
2015-09-02 10:54 | malsasua | File Added: pl1.png | |
2015-09-02 10:54 | malsasua | File Added: pl2.png | |
2015-09-02 10:54 | malsasua | File Added: roleOrgAccess.png | |
2015-09-02 10:54 | malsasua | File Added: roleUser.png | |
2015-09-04 10:22 | vmromanos | Relationship added | related to 0021821 |
2015-09-04 12:36 | vmromanos | Note Added: 0080107 | |
2015-09-04 12:37 | vmromanos | Note Edited: 0080107 | View Revisions |
2015-09-07 09:14 | AtulOpenbravo | Assigned To | Triage Finance => AtulOpenbravo |
2015-09-07 09:14 | AtulOpenbravo | Status | new => scheduled |
2015-09-08 08:52 | AtulOpenbravo | Note Added: 0080236 | |
2015-09-08 11:42 | vmromanos | Note Edited: 0080107 | View Revisions |
2015-09-08 12:32 | vmromanos | Note Added: 0080243 | |
2015-09-08 13:52 | vmromanos | Note Edited: 0080243 | View Revisions |
2015-09-08 16:52 | vmromanos | Relationship added | related to 0030797 |
2015-09-08 16:56 | vmromanos | Note Edited: 0080243 | View Revisions |
2015-09-09 11:20 | hgbot | Checkin | |
2015-09-09 11:20 | hgbot | Note Added: 0080273 | |
2015-09-09 11:20 | hgbot | Status | scheduled => resolved |
2015-09-09 11:20 | hgbot | Resolution | open => fixed |
2015-09-09 11:20 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/33b4685cb8aee0a367b42741ecaf207c5b602597 [^] |
2015-09-09 11:20 | hgbot | Checkin | |
2015-09-09 11:20 | hgbot | Note Added: 0080274 | |
2015-09-09 11:20 | hgbot | Fixed in SCM revision | http://code.openbravo.com/erp/devel/pi/rev/33b4685cb8aee0a367b42741ecaf207c5b602597 [^] => http://code.openbravo.com/erp/devel/pi/rev/7d592e7f797fadd672708877241eda75ec953cdf [^] |
2015-09-09 11:21 | vmromanos | Review Assigned To | => vmromanos |
2015-09-09 11:21 | vmromanos | Note Added: 0080275 | |
2015-09-09 11:21 | vmromanos | Status | resolved => closed |
2015-09-09 23:11 | hudsonbot | Checkin | |
2015-09-09 23:11 | hudsonbot | Note Added: 0080298 | |
2015-09-09 23:11 | hudsonbot | Checkin | |
2015-09-09 23:11 | hudsonbot | Note Added: 0080299 | |
2015-09-10 09:51 | vmromanos | Note Edited: 0080107 | View Revisions |
2015-09-10 10:02 | vmromanos | Note Added: 0080310 | |
2015-09-10 10:02 | vmromanos | Status | closed => new |
2015-09-10 10:02 | vmromanos | Resolution | fixed => open |
2015-09-10 11:43 | hgbot | Checkin | |
2015-09-10 11:43 | hgbot | Note Added: 0080313 | |
2015-09-10 11:43 | hgbot | Status | new => resolved |
2015-09-10 11:43 | hgbot | Resolution | open => fixed |
2015-09-10 11:43 | hgbot | Fixed in SCM revision | http://code.openbravo.com/erp/devel/pi/rev/7d592e7f797fadd672708877241eda75ec953cdf [^] => http://code.openbravo.com/erp/devel/pi/rev/13211c4cc0a0029cb8643259cfbe3bd1e2ed215b [^] |
2015-09-10 11:44 | vmromanos | Status | resolved => closed |
2015-09-11 06:33 | hudsonbot | Checkin | |
2015-09-11 06:33 | hudsonbot | Note Added: 0080324 | |
2015-09-25 08:50 | vmromanos | Relationship added | related to 0030926 |
Copyright © 2000 - 2009 MantisBT Group |