Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0023518
TypeCategorySeverityReproducibilityDate SubmittedLast Update
design defect[Openbravo ERP] C. SecurityminorN/A2013-04-09 17:212013-04-30 12:14
ReporteralostaleView Statuspublic 
Assigned Toalostale 
PriorityurgentResolutionfixedFixed in Version3.0MP23
StatusclosedFix in branchFixed in SCM revision46bf40360c73
ProjectionnoneETAnoneTarget Version3.0MP23
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0023518: Restrict Access to Portal sessions

DescriptionPortal sessions should have limited access to:

-Web Services: json and xml webservices shouldn't be accessible to portal sessions
-ActionHandlers: only the ones that are explicitly set to be accessible by portal should be executable
-Datasources: only the ones that are explicitly set to be accessible by portal should be executable. Specially default one used to retrieve grid data shouldn't be accessible
-Query List widget datasources: They should be accessible
Steps To Reproduce-
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to design defect 00235203.0MP23 closedalostale Restrict access to query list widgets 

-  Notes
(0057898)
hgbot (developer)
2013-04-15 13:49

 Repository: erp/devel/pi
Changeset: 46bf40360c734a9a94b4e8f9b8e25070bc241222
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Tue Apr 09 17:45:00 2013 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/46bf40360c734a9a94b4e8f9b8e25070bc241222 [^]

fixed issue 23518: Restrict Access to Portal sessions

-Web Services: json and xml webservices shouldn't be accessible to portal sessions
-ActionHandlers: only the ones that are explicitly set to be accessible by portal should be executable
-Datasources: only the ones that are explicitly set to be accessible by portal should be executable. Specially default one used to retrieve grid data shouldn't be accessible
-Query List widget datasources: They should be accessible

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/AlertActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/HeartBeatPopupActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/LogOutActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/ParametersActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/StorePropertyActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/navigationbarcomponents/UserInfoWidgetActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/ImagesActionHandler.java
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java
M modules/org.openbravo.client.myob/src/org/openbravo/client/myob/MyOpenbravoActionHandler.java
M modules/org.openbravo.client.querylist/src/org/openbravo/client/querylist/QueryListDataSource.java
M modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DataSourceServlet.java
M modules/org.openbravo.service.json/src/org/openbravo/service/json/JsonRestServlet.java
M src/org/openbravo/dal/core/OBContext.java
M src/org/openbravo/service/web/BaseWebServiceServlet.java
---
(0057900)
hgbot (developer)
2013-04-15 13:50

 Repository: erp/devel/pi
Changeset: 896e36129e9a302621e13fc1e8ef467af47b34c2
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Mon Apr 15 08:17:58 2013 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/896e36129e9a302621e13fc1e8ef467af47b34c2 [^]

related to issue 23518: added missing file

---
A src/org/openbravo/portal/PortalAccessible.java
---
(0057975)
hudsonbot (developer)
2013-04-16 19:18

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/8df08bea850d [^]

Maturity status: Test
(0057977)
hudsonbot (developer)
2013-04-16 19:18

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/8df08bea850d [^]

Maturity status: Test
(0058343)
AugustoMauch (manager)
2013-04-30 12:12

 Code reviewed and verified in pi@a7efc1231554

- Issue History
Date Modified Username Field Change
2013-04-09 17:21 alostale New Issue
2013-04-09 17:21 alostale Assigned To => alostale
2013-04-09 17:21 alostale Modules => Core
2013-04-09 17:21 alostale Triggers an Emergency Pack => No
2013-04-09 17:34 alostale Review Assigned To => AugustoMauch
2013-04-09 17:50 alostale Relationship added related to 0023520
2013-04-15 13:49 hgbot Checkin
2013-04-15 13:49 hgbot Note Added: 0057898
2013-04-15 13:49 hgbot Status new => resolved
2013-04-15 13:49 hgbot Resolution open => fixed
2013-04-15 13:49 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/46bf40360c734a9a94b4e8f9b8e25070bc241222 [^]
2013-04-15 13:50 hgbot Checkin
2013-04-15 13:50 hgbot Note Added: 0057900
2013-04-16 19:18 hudsonbot Checkin
2013-04-16 19:18 hudsonbot Note Added: 0057975
2013-04-16 19:18 hudsonbot Checkin
2013-04-16 19:18 hudsonbot Note Added: 0057977
2013-04-30 12:12 AugustoMauch Note Added: 0058343
2013-04-30 12:12 AugustoMauch Status resolved => closed
2013-04-30 12:14 AugustoMauch Fixed in Version => 3.0MP23

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker