Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0006985 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| feature request | [Openbravo ERP] C. Security | critical | always | 2009-01-19 12:11 | 2009-10-30 11:58 | |||
| Reporter | joan | View Status | public | |||||
| Assigned To | iciordia | |||||||
| Priority | urgent | Resolution | no change required | Fixed in Version | ||||
| Status | closed | Fix in branch | pi | Fixed in SCM revision | ||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | 2.40 | SCM revision | ||||||
| Review Assigned To | ||||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0006985: User can access restricted info without access rights | |||||||
| Description | When you create a new role as manual, and you allow access to the window product, the user can see the associated reports on Information seccion of the menu. He can access in there to the Product Information window that shows prices. The problem is when you restrict access to the tables M_pricelist, m_pricelist_version, m_product_po, m_productprice, the User with the new role can still see the Product Information window in the Information menĂº. This is really a big problem because if you can't limit this view then you really can't limit the view of a user. | |||||||
| Steps To Reproduce | Create a new role called newrole and set it as manual. Save it. Insert access to the org. Insert access to the window Product Assign this role to a user A -- Go to the Role Access table and limit to the role newrole the next tables m_product_po m_productprice m_pricelist m_pricelistversion -- Now you change the user to A with role newrole Go to the product window go to to the price tab. It gives you a restricted access error (This is OK) Go to the information ->Product menu. It should not appear this menu or at least the prices shouldn't be shown. | |||||||
| Tags | ReleaseCandidate | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|
 Relationships |
|
Notes |
|
|
(0012320) joan (reporter) 2009-01-19 12:12 |
I use the Openbravo 2.40 version on debian etch, with postgresql 8.3 |
|
(0012323) joan (reporter) 2009-01-19 12:49 |
Also a collateral problem of this is the next one. If you Allow access to a product window and you restrict access to the table c_bpartner, the user can still see all your vendor and customers. Also if you restrict access to ad_reference still the problem remains. Should be a restricted access to reference by role or at least all the references should check if there are restricted tables assigned to them. |
|
(0012324) psarobe (manager) 2009-01-19 13:00 |
Hi Joan, Please use the combo product version for entering the version instead of adding a note. Thank again for your feedback Regards |
|
(0012326) joan (reporter) 2009-01-19 13:15 |
Sorry, I've realized just after click the send button. And I could'nt change it after it. Thats why I've added a note |
|
(0012378) psarobe (manager) 2009-01-20 11:01 |
Hi Joan, Sorry but I don't understand you when you say "Also if you restrict access to ad_reference still the problem remains" and also when you say "you can still see all your vendor and customers". Can you please provide the steps for this example? Thanks |
|
(0012387) joan (reporter) 2009-01-20 12:15 |
Sure Psarobe :), When I say "you can still see all your vendor and customer" I mean that If you go to the product window, and you press over the "Business Partner" field and press enter, then it shows a popup that you can see all the business partners(vendors, customers), and if you restrict the access to the table c_bpartner, still you can see in that popup the vendors, and customers. (Of course I dont want that user to see that info, thats why i've excluded the access) About the ad_reference thing, I was thinking that if after the steps before, I exclude the access to the ad_reference table, then maybe the different references will not show up, thats why i say that, but obviously this is not happening how I've expected. The steps for this are: (continuing after the Steps To Reproduce the issue) Still being the role A Go to the product window again Press the button Business Partner A popup is showed See that you can see the different B.Partners (vendors, customers) Change the role to the Admin Go to the role access window , and insert new restrictions on the role A restrict access to c_bpartner table (set exclude) restrict access to ad_references table (set exclude) Change again to role A Go to the product window Press the button Business Partner A popup is showed See that you can see the different B.Partners (vendors, customers) (I think you shouldn't because it is restricted the access to the table) |
|
(0012609) pjuvara (reporter) 2009-01-26 07:17 |
Reminder sent to: rafaroda Pablo, Rafa, how do we proceed on this security issue? Thanks, Paolo |
|
(0012610) pjuvara (reporter) 2009-01-26 07:18 |
Reminder sent to: psarobe Pablo, Rafa, how do we proceed on this security issue? Thanks, Paolo |
|
(0012769) psarobe (manager) 2009-01-28 18:26 |
Hi Joan The "role access" tab within the table window is to reject access to a specific table, so users are not allowed to see tabs linked to that table. For example, if a role is allowed to access Product Window but it is rejected to Price table then that role won't be able to access to the price tab within Product window. Selectors follow a different model. You can open/use a selector if you have access to a window where that selector is used. So if a role has granted access to sales order -where product selector is used- then that role will see the product selector from application menu. But we are going to change this issue as a feature request to take into account all your comments and improve the security model thanks |
|
(0012902) joan (reporter) 2009-01-30 14:04 |
Well, I still believe that this is a security problem. I have some possible solutions. a) Create an access table by role on selectors, if you dont have access to this selector you can't see it. And the selector in all the pages comes to a normal text-field. b) Try to unify the security model. Try to only show on selector the data that you have access to the table. If you dont have access to the price table, you can't see the price, but you see the name of the product(if you have the access to the m_product table) c) Allow to disable the Information Menu entry at least to hide a little more to the users the selectors. |
|
(0019419) rafaroda (developer) 2009-09-02 13:27 |
According to http://wiki.openbravo.com/wiki/Bug_Reporting_Guidelines#How_to_Choose_the_Right_Severity [^] feature requests should not have Severity Critical. If there no reason why they are Critical please down their priority to Major: * New functionality that would significantly increase the user base of the product. * Usability improvements. Thanks. |
|
(0021476) joan (reporter) 2009-10-29 18:14 edited on: 2009-10-29 18:16 |
Critical: * Production system is severely impacted I really think this could show private data outside of the user role that belongs. So im not sure but, I think it must be critical. Anyway , I know that there is a posible workaround for it, that is creating a copy of the window without the data affected, but this is not clear. |
|
(0021486) iciordia (manager) 2009-10-30 11:38 |
Changing to status scheduled |
|
(0021487) iciordia (manager) 2009-10-30 11:58 |
Joan, let me explain the reasons I decide to reject this issue: -In your example below you want role A to be able to edit products but that role should not be able to see business partners -When editing products users need to choose the business partner associated to the product (by the way, this is a very uncommon requirement so you could just remove this field if it is not needed to solve your issue) -But if this is needed there is no way to allow choosing without allowing see the list of business partners -If the information shown in the business partner selector is more than you would like to show you can easily change the reference for that column to a drop-down list where only name is shown or create your own business partner selector with the information you think is appropiate -If the role does not need to edit products you can change priveleges to read only, so the business partner selector is not enabled Finally, openbravo plans to review its security model in line with your suggested approach to improve the ease of security administration and consistency. But current security model allows you to run production environments with very granular security configuration and without critical restrictions. Please let me know what is your requirement and I will guide you to proper configuration. Thanks, Ismael |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-01-19 12:11 | joan | New Issue | |
| 2009-01-19 12:11 | joan | Assigned To | => rafaroda |
| 2009-01-19 12:11 | joan | sf_bug_id | 0 => 2519459 |
| 2009-01-19 12:12 | joan | Note Added: 0012320 | |
| 2009-01-19 12:49 | joan | Note Added: 0012323 | |
| 2009-01-19 13:00 | psarobe | Note Added: 0012324 | |
| 2009-01-19 13:00 | psarobe | version | => 2.40 |
| 2009-01-19 13:15 | joan | Note Added: 0012326 | |
| 2009-01-20 08:29 | pjuvara | Priority | normal => urgent |
| 2009-01-20 08:30 | pjuvara | Issue Monitored: pjuvara | |
| 2009-01-20 11:01 | psarobe | Note Added: 0012378 | |
| 2009-01-20 12:15 | joan | Note Added: 0012387 | |
| 2009-01-26 07:17 | pjuvara | Note Added: 0012609 | |
| 2009-01-26 07:18 | pjuvara | Issue Monitored: psarobe | |
| 2009-01-26 07:18 | pjuvara | Note Added: 0012610 | |
| 2009-01-28 18:26 | psarobe | Note Added: 0012769 | |
| 2009-01-28 18:26 | psarobe | Type | defect => feature request |
| 2009-01-29 11:05 | rafaroda | Assigned To | rafaroda => pjuvara |
| 2009-01-30 14:04 | joan | Note Added: 0012902 | |
| 2009-02-02 06:35 | pjuvara | Status | new => acknowledged |
| 2009-02-02 06:35 | pjuvara | Tag Attached: ReleaseCandidate | |
| 2009-05-22 19:36 | pjuvara | Assigned To | pjuvara => iciordia |
| 2009-09-02 13:27 | rafaroda | Note Added: 0019419 | |
| 2009-10-29 18:14 | joan | Note Added: 0021476 | |
| 2009-10-29 18:16 | joan | Note Edited: 0021476 | |
| 2009-10-30 11:38 | iciordia | Status | acknowledged => scheduled |
| 2009-10-30 11:38 | iciordia | Note Added: 0021486 | |
| 2009-10-30 11:38 | iciordia | fix_in_branch | => pi |
| 2009-10-30 11:58 | iciordia | Status | scheduled => closed |
| 2009-10-30 11:58 | iciordia | Note Added: 0021487 | |
| 2009-10-30 11:58 | iciordia | Resolution | open => no change required |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |