Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0010966
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] Y. DBSourceManagermajoralways2009-10-14 14:152009-10-23 00:01
ReporterwalleView Statuspublic 
Assigned Tomtaal 
PrioritynormalResolutionfixedFixed in Versionpi
StatusclosedFix in branchpiFixed in SCM revision5281
ProjectionnoneETAnoneTarget Version
OSLinux 32 bitDatabasePostgreSQLJava version1.6.0_11
OS VersionrPath LinuxDatabase version8.3.5Ant version1.7.1
Product Version2.50MP6SCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0010966: Webservices - Access rights

DescriptionThe webservices Access rights are not the same as for Openbravo ERP.
This means as normal user which has no rights to open the window role.
with webservices can see all roles.
Steps To Reproducelogon with a user which has no rights to open the role. for example
with a user which has rights only for a certain organisation.

When the user has assigned the role window, he can not open it,
but with the following url he can see all roles and other settings

http://openbravohost:8180/context/ws/dal/ADRole [^]
Proposed Solution.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0021155)
mtaal (manager)
2009-10-19 10:47

Hi,
I did a test and it worked fine with me. I use the standard Openbravo SmallBazaar demo set. logged in with Openbravo/openbravo and then changed the role to Finance. Then I tried the url you mention in your bugreport and I get this error message (which is correct):
<ob:error xmlns:ob="http://www.openbravo.com"><message>Entity [^] ADRole is not readable by the user 100</message></ob:error>

Did you try with the Openbravo Smallbazaar test set? Can you elaborate a bit more on what steps you took to reproduce this exception?

gr. Martin
(0021191)
walle (reporter)
2009-10-19 20:17

HI...
Ok, this is the constellation

Created new client.
Created new organization (generic)
Created new standard role (not manual) on organization level (not client/organization)
created new user and assigned the created org-role to the user.

when the user logs in, he can see the Role window in the menu, but when he clicks on Role he get the message that he has not the rights with the current role, that is because of the rights level of the window himself and is ok.

but now you go to the url as discussed and the user can see every information about roles of the current client. (the role is only a example, is working in same way also for other windows)

If you remove the Role Window from the org-role rights, then the user is not seeing the menu item, and also in the webservices he can not see all information, but he can still see the role names.

I hope my explanation was understandable.

BR, Walter
(0021317)
mtaal (manager)
2009-10-22 11:07

Hi Walter,
Thanks, this issue was/is related to the access level which was not checked correctly by the webservice. I have solved this, the solution is available in Mercurial.

gr. Martin
(0021318)
mtaal (manager)
2009-10-22 11:11

DAL now also uses data and user access level for checking access

- Issue History
Date Modified Username Field Change
2009-10-14 14:15 walle New Issue
2009-10-14 14:15 walle Assigned To => marvintm
2009-10-14 14:42 marvintm Assigned To marvintm => mtaal
2009-10-16 13:44 psarobe Status new => scheduled
2009-10-16 13:44 psarobe fix_in_branch => pi
2009-10-19 10:47 mtaal Note Added: 0021155
2009-10-19 10:47 mtaal Status scheduled => feedback
2009-10-19 20:17 walle Note Added: 0021191
2009-10-22 11:07 mtaal Status feedback => scheduled
2009-10-22 11:07 mtaal Note Added: 0021317
2009-10-22 11:11 mtaal Status scheduled => resolved
2009-10-22 11:11 mtaal Fixed in Version => pi
2009-10-22 11:11 mtaal Fixed in SCM revision => 5281
2009-10-22 11:11 mtaal Resolution open => fixed
2009-10-22 11:11 mtaal Note Added: 0021318
2009-10-22 11:21 plujan Status resolved => closed
2009-10-23 00:01 anonymous sf_bug_id 0 => 2884262


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker