Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0018987
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] 01. General setupcriticalalways2011-11-06 18:392012-03-02 15:37
ReporterpjuvaraView Statuspublic 
Assigned Toalostale 
PrioritynormalResolutionfixedFixed in Version3.0MP9
StatusclosedFix in branchFixed in SCM revision6409589a6ef9
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product Version3.0MP4.1SCM revision 
Merge Request Status
Review Assigned To
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0018987: Inconsistent security access for menus between system client and other clients

DescriptionIn Openbravo the menu definition is done at system level and it should not be possible to see it and modify it at client level.

However, if I connect with a client admin role, I can open the Menu window. While I cannot see the records, I can open the menu tree, see the data and change the order of the records.

The changes commit successfully and impact the whole system; this mean that the admin user of one client is able to affect the behavior of all the other clients, including system.

In a multi-client environment this is a big issue.
Steps To ReproduceSee video
Proposed SolutionYou should not be able to open the tree with a client admin role.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0045231)
hgbot (developer)
2012-02-17 11:35

 Repository: erp/devel/pi
Changeset: 6409589a6ef9a4e6b856c12b61dd04d03fd1f9c5
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Fri Feb 17 11:34:33 2012 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/6409589a6ef9a4e6b856c12b61dd04d03fd1f9c5 [^]

fixed bug 18987: Inconsistent security access for menus

---
M src/org/openbravo/erpCommon/utility/WindowTree.java
---
(0045232)
alostale (viewer)
2012-02-17 11:42

 Added access check for parent window to tree popup: no regression risk.

Test plan:
-Menu tree still works for Sys Admin: it opens and it is possible to rearrange items.
-Using Client Admin role trying to open the tree popup shows an error popup
-Other trees (such as Organization and account tree) still work
(0045233)
AugustoMauch (administrator)
2012-02-17 12:09

 Code reviewed and verified
(0045880)
hudsonbot (viewer)
2012-03-02 15:37

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/544d64e0c159 [^]

Maturity status: Test

- Issue History
Date Modified Username Field Change
2011-11-06 18:39 pjuvara New Issue
2011-11-06 18:39 pjuvara Assigned To => jonalegriaesarte
2011-11-06 18:39 pjuvara Modules => Core
2011-11-06 18:39 pjuvara OBNetwork customer => No
2011-11-06 18:40 pjuvara Issue Monitored: pjuvara
2011-11-06 18:40 pjuvara Issue Monitored: iciordia
2012-02-15 19:04 iciordia Assigned To jonalegriaesarte => vmromanos
2012-02-16 17:51 vmromanos Assigned To vmromanos => alostale
2012-02-17 11:35 hgbot Checkin
2012-02-17 11:35 hgbot Note Added: 0045231
2012-02-17 11:35 hgbot Status new => resolved
2012-02-17 11:35 hgbot Resolution open => fixed
2012-02-17 11:35 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/6409589a6ef9a4e6b856c12b61dd04d03fd1f9c5 [^]
2012-02-17 11:42 alostale Note Added: 0045232
2012-02-17 12:09 AugustoMauch Note Added: 0045233
2012-02-17 12:09 AugustoMauch Status resolved => closed
2012-02-17 12:09 AugustoMauch Fixed in Version => 3.0MP9
2012-03-02 15:37 hudsonbot Checkin
2012-03-02 15:37 hudsonbot Note Added: 0045880

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker