0027953: AccessibleOrgTree wrongly used in some reports may create security issues

Notes
(0071608) ngarcia (developer) 2014-11-12 13:39	It also happens in transactional windows

(0075117) jorge-garcia (reporter) 2015-03-03 13:34 edited on: 2015-03-05 11:02	Test Plan General: Remember to change the User Level = 'Organization' and delete some Org Access lines in the Role window for the used roles. 1) Test Plan 1: Asset report for depreciation schedule As F&B España, S.A - Finance Go to Asset Report for Deprecation Schedule. See that in the Organization combo only logged role's organization are available. Click on Search button and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo. 2) Test Plan 2: Invoice Taxes Report As System Administrator: Go to Process and Reports Window and activate this report Go to Menu and activate Invoice Taxes Report menu As F&B España, S.A - Finance Go to Invoice Taxes Report and fill the mandatory filters. From Date: 01-01-2014 To Date: 31-12-2014 Click on HTML Format and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo. 3) Test Plan 3: Pareto Product Report /* Optional/ As F&B International Group Admin, Go to Role window and select one of the roles Go to Report and Process Access tab and give access to the Pareto Product Report With the selected Role Go to Pareto Product Report and fill the mandatory filters. Currency: Currency of the report Warehouse: Warehouse of the selected organization Click on Search and realize that only data from selected organizations and warehouse is considered. 4) Test Plan 4: Create Budget Reports in Excel As F&B España, S.A - Finance Go to Create Budget Reports in Excel and fill the mandatory filters. General Ledger: F&B España, S.A. US/A/Euro Account Element: any Realize that only organizations from the logged role appears in the Trx organization combo .Click on Generate Excel. 5) Test Plan 5: Payment Aging Balance / Optional/ Former report. As System Administrator, Go to Report and Process window and activate the Payment Aging Balance Report Go to the Menu window and activate the Payment Aging Balance menu As F&B International Group Admin, Go to Role window and select one of the roles Go to Report and Process Access tab and give access to the Payment Aging Balance report With the selected role realize that only organizations from the logged role appears in the Organization list. 6) Test Plan 6: Sales Order Returns dimensional Report As System Administrator, Go to Report and Process window and activate the Sales Order Returns Dimensional Report Go to the Menu window and activate the Sales Order Returns Dimensional Report if it's not active yet As F&B International Group Admin, Go to Role window and select one of the roles Go to Report and Process Access tab and give access to the Sales Order Returns Dimensional report With the selected Role Go to Sales Order Returns Dimensional Report and fill the mandatory filters. From Date: 01-01-2011 To Date: 31-03-2011 See that in the Organization combo only logged role's organization are available. 7) Test Plan 7: Orders Awaiting Invoice Report / Optional/ As F&B International Group Admin, Go to Role window and select one of the roles Go to Report and Process Access tab and give access to the Orders Awaiting Invoice report With the selected role Go to Orders Awaiting Invoice Report and fill the mandatory filters. See that in the Organization combo only logged role's organization are available. 8) Test Plan 8: Shipments Dimensional Report As F&B España, S.A - Finance Go to Shipments Dimensional Report and fill the mandatory filters. From Date: 01-02-2011 To Date: 31-02-2011 See that in the Organization combo only logged role's organization are available. Click on HTML Format and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo. 9) Test Plan 9: Project Profitability / Optional*/ As F&B International Group Admin, Go to Role window and select one of the roles Go to Report and Process Access tab and give access to the Project Profitability With the selected role Go to Project Profitability and fill the mandatory filters. See that in the Organization combo only logged role's organization are available. 10) Test Plan 10: Withholding Report As System Administrator, Go to Report and Process window and activate the Withholding Report Go to the Menu window and activate the Withholding Report if it's not active yet As F&B International Group Admin, Go to Role window and select one of the roles Go to Report and Process Access tab and give access to the Withholding Report With the selected Role Go to Withholding Report and fill the mandatory filters. See that in the Organization combo only logged role's organization are available. 11) Test Plan 11: Goods Receipts Dimensional Report As F&B España, S.A - Finance Go to Goods Receipts Dimensional Report and fill the mandatory filters. From Date: 01-02-2011 To Date: 31-03-2011 See that in the Organization combo only logged role's organization are available. 12) Test Plan 12: Sales Invoice Dimensional Report As F&B España, S.A - Finance Go to Sales Invoice Dimensional Report and fill the mandatory filters. From Date: 01-02-2011 To Date: 31-03-2011 See that in the Organization combo only logged role's organization are available. 13) Test Plan 13: Orders Awaiting Delivery Report As F&B España S.A. - Warehouse Go to Orders Awaiting Delivery Report See that in the Organization combo only logged role's organization are available. Click on PDF format button and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.

(0075486) hgbot (developer) 2015-03-12 13:41	Repository: erp/devel/pi Changeset: e5cd53fc814121bab1e327289c7636253b4f90b9 Author: Jorge Garcia <jorge.garcia <at> openbravo.com> Date: Tue Feb 17 12:33:34 2015 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/e5cd53fc814121bab1e327289c7636253b4f90b9 [^] Fixed issue 27953 AccessibleOrgTree wrongly used in some reports In many manual reports the organization combo is filled using: ComboTableData comboTableData = new ComboTableData(vars, this, "TABLEDIR", "AD_ORG_ID", "", "", Utility.getContext(this, vars, "#AccessibleOrgTree", "XXXX"), Utility.getContext(this, vars, "#User_Client", "XXXX"), ''); “#AccessibleOrgTree” context gets the list of all the granted organizations, their ancestors and their descendants organizations. It's necessary to use “#User_Org” instead, which contains the organizations that are granted by the role: ComboTableData comboTableData = new ComboTableData(vars, this, "TABLEDIR", "AD_ORG_ID", "", "", Utility.getContext(this, vars, "#User_Org", "XXXX"), Utility.getContext(this, vars, "#User_Client", "XXXX"), ''); Reports from these folders had been checked: src/org/openbravo/erpCommon/ad_reports src/org/openbravo/erpReports Files affected by this issue had been changed and tried --- M modules/org.openbravo.reports.ordersawaitingdelivery/src/org/openbravo/reports/ordersawaitingdelivery/erpCommon/ad_reports/ReportOrderNotShipped.java M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java M src/org/openbravo/erpCommon/ad_reports/ReportAssetDepreciationSchedule.java M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java M src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java M src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java M src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java M src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java M src/org/openbravo/erpCommon/ad_reports/ReportTaxInvoiceJR.java ---

(0075487) hgbot (developer) 2015-03-12 13:41	Repository: erp/devel/pi Changeset: 9e165ce2e31193b859c04864358d30bbfb6f040d Author: Jorge Garcia <jorge.garcia <at> openbravo.com> Date: Tue Mar 03 12:04:20 2015 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/9e165ce2e31193b859c04864358d30bbfb6f040d [^] Related to issue 27953: Updated Copyright Updated Copyright dates --- M modules/org.openbravo.reports.ordersawaitingdelivery/src/org/openbravo/reports/ordersawaitingdelivery/erpCommon/ad_reports/ReportOrderNotShipped.java M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java M src/org/openbravo/erpCommon/ad_reports/ReportAssetDepreciationSchedule.java M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java M src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java M src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java M src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java M src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java M src/org/openbravo/erpCommon/ad_reports/ReportTaxInvoiceJR.java ---

(0075488) aferraz (manager) 2015-03-12 13:42	Code review + Testing OK

(0075514) hudsonbot (developer) 2015-03-13 03:18	A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/6f599d5217c4 [^] Maturity status: Test

(0075515) hudsonbot (developer) 2015-03-13 03:18	A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/6f599d5217c4 [^] Maturity status: Test

Issue History
Date Modified	Username	Field	Change
2014-10-22 18:51	vmromanos	New Issue
2014-10-22 18:51	vmromanos	Assigned To	=> dmiguelez
2014-10-22 18:51	vmromanos	Modules	=> Core
2014-10-22 18:51	vmromanos	Triggers an Emergency Pack	=> No
2014-10-22 18:52	vmromanos	Relationship added	caused by 0006199
2014-10-22 18:52	vmromanos	Relationship added	related to 0027459
2014-11-10 19:06	ngarcia	Issue Monitored: ngarcia
2014-11-12 13:39	ngarcia	Note Added: 0071608
2014-11-18 19:12	jonalegriaesarte	Resolution time	=> 1418943600
2014-12-22 16:48	shuehner	Issue Monitored: shuehner
2015-01-19 13:21	Sandrahuguet	Relationship added	related to 0028675
2015-02-11 16:44	Sandrahuguet	Assigned To	dmiguelez => jorge-garcia
2015-02-18 11:56	Sandrahuguet	Status	new => scheduled
2015-02-18 11:56	Sandrahuguet	fix_in_branch	=> pi
2015-02-26 08:48	Sandrahuguet	Review Assigned To	=> aferraz
2015-02-26 08:48	Sandrahuguet	fix_in_branch	pi =>
2015-03-03 13:34	jorge-garcia	Note Added: 0075117
2015-03-04 15:01	psanjuan	Note Edited: 0075117	View Revisions
2015-03-05 11:02	psanjuan	Note Edited: 0075117	View Revisions
2015-03-12 13:41	hgbot	Checkin
2015-03-12 13:41	hgbot	Note Added: 0075486
2015-03-12 13:41	hgbot	Status	scheduled => resolved
2015-03-12 13:41	hgbot	Resolution	open => fixed
2015-03-12 13:41	hgbot	Fixed in SCM revision	=> http://code.openbravo.com/erp/devel/pi/rev/e5cd53fc814121bab1e327289c7636253b4f90b9 [^]
2015-03-12 13:41	hgbot	Checkin
2015-03-12 13:41	hgbot	Note Added: 0075487
2015-03-12 13:42	aferraz	Note Added: 0075488
2015-03-12 13:42	aferraz	Status	resolved => closed
2015-03-13 03:18	hudsonbot	Checkin
2015-03-13 03:18	hudsonbot	Note Added: 0075514
2015-03-13 03:18	hudsonbot	Checkin
2015-03-13 03:18	hudsonbot	Note Added: 0075515
2015-09-07 14:11	vmromanos	Relationship added	related to 0030781