Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0027953
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] 09. Financial managementmajorhave not tried2014-10-22 18:512015-03-13 03:18
ReportervmromanosView Statuspublic 
Assigned Tojorge-garcia 
PrioritynormalResolutionfixedFixed in Version
StatusclosedFix in branchFixed in SCM revisione5cd53fc8141
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionpiSCM revision 
Review Assigned Toaferraz
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0027953: AccessibleOrgTree wrongly used in some reports may create security issues

DescriptionIn many manual reports the organization combo is filled using:

 ComboTableData comboTableData = new ComboTableData(vars, this, "TABLEDIR", "AD_ORG_ID", "",
          "", Utility.getContext(this, vars, "#AccessibleOrgTree", "XXXX"),
          Utility.getContext(this, vars, "#User_Client", "XXXX"), '*');

The "#AccessibleOrgTree" context gets the list of all the granted organizations, their ancestors and their descendants organizations.

For example, imagine our role only has access to "F&B España - Región Norte", that means that the #AccessibleOrgTree will be: F&B España - Región Norte, F&B España, F&B International Group and 0.

If we try to launch any of the reports affected by this bug, we will be able to select any parent organization, thus reading all the information available at that level, although our role doesn't have access to this organization.

This is an important security issue that may heavily affect organization structures where this information should be confidential.


The list of reports might be very big and we should review all of them, not only the Core's one but the module's reports too.
Here is a list of reports that might be affected (note that this list is not complete!):

src/org/openbravo/erpCommon/ad_reports/GeneralAccountingReports.java src/org/openbravo/erpCommon/ad_reports/MInOutTraceReports.java src/org/openbravo/erpCommon/ad_reports/ReportAccountingCountDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java src/org/openbravo/erpCommon/ad_reports/ReportBank.java src/org/openbravo/erpCommon/ad_reports/ReportBankJR.java src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java src/org/openbravo/erpCommon/ad_reports/ReportCash.java src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java src/org/openbravo/erpCommon/ad_reports/ReportCashJR.java src/org/openbravo/erpCommon/ad_reports/ReportCashflowForecast.java src/org/openbravo/erpCommon/ad_reports/ReportDebtPayment.java src/org/openbravo/erpCommon/ad_reports/ReportDebtPaymentTrack.java src/org/openbravo/erpCommon/ad_reports/ReportExpense.java src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedger.java src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedgerJournal.java src/org/openbravo/erpCommon/ad_reports/ReportGuaranteeDateJR.java src/org/openbravo/erpCommon/ad_reports/ReportInventory.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerEdition.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscount.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceDiscountJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceVendorDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoiceVendorJR.java src/org/openbravo/erpCommon/ad_reports/ReportInvoices.java src/org/openbravo/erpCommon/ad_reports/ReportInvoicesJR.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialTransactionEdition.java src/org/openbravo/erpCommon/ad_reports/ReportMaterialTransactionEditionJR.java src/org/openbravo/erpCommon/ad_reports/ReportOffer.java src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java src/org/openbravo/erpCommon/ad_reports/ReportPendingProductionJr.java src/org/openbravo/erpCommon/ad_reports/ReportPricelist.java src/org/openbravo/erpCommon/ad_reports/ReportProductMovement.java src/org/openbravo/erpCommon/ad_reports/ReportProduction.java src/org/openbravo/erpCommon/ad_reports/ReportProductionCost.java src/org/openbravo/erpCommon/ad_reports/ReportProductionJR.java src/org/openbravo/erpCommon/ad_reports/ReportProductionRunJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSite.java src/org/openbravo/erpCommon/ad_reports/ReportProjectBuildingSiteJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java src/org/openbravo/erpCommon/ad_reports/ReportProjectProgress.java src/org/openbravo/erpCommon/ad_reports/ReportPurchaseDimensionalAnalysesJR.java src/org/openbravo/erpCommon/ad_reports/ReportRefundInvoiceCustomerDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java src/org/openbravo/erpCommon/ad_reports/ReportSalesDimensionalAnalyzeJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderInvoicedJasper.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderOpenItem.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderOpenItemJR.java src/org/openbravo/erpCommon/ad_reports/ReportSalesOrderProvidedJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipmentEditionJR.java src/org/openbravo/erpCommon/ad_reports/ReportShipper.java src/org/openbravo/erpCommon/ad_reports/ReportStandardCostJR.java src/org/openbravo/erpCommon/ad_reports/ReportToInvoiceConsignment.java src/org/openbravo/erpCommon/ad_reports/ReportToInvoiceConsignmentJR.java src/org/openbravo/erpCommon/ad_reports/ReportTotalProductTemplate.java src/org/openbravo/erpCommon/ad_reports/ReportTrialBalance.java src/org/openbravo/erpCommon/ad_reports/ReportTrialBalanceDetail.java src/org/openbravo/erpCommon/ad_reports/ReportValuationStock.java src/org/openbravo/erpCommon/ad_reports/ReportWarehouseControl.java src/org/openbravo/erpCommon/ad_reports/ReportWarehouseDetailInventoryJR.java src/org/openbravo/erpCommon/ad_reports/ReportWarehousePartnerJR.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementDaily.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementDailyEnv.java src/org/openbravo/erpCommon/ad_reports/ReportWorkRequirementJR.java
Steps To Reproduce1. Access Role window and edit "F&B España, S.A - Procurement" role to set it as "User level= Organization"
2. Go to "Org Access" tab and delete records for "España" and "España sur" so role only has access to "España Norte" organization
3. Log out and log in again with "F&B España, S.A - Procurement" role
4. Go to "Purchase Dimensional Report" (which is one of the affected reports) and realize that in Organization combo you are able to see more organizations than "España Norte".
5. Set * organization and run report. Realize that data from other organizations is considered
Proposed SolutionUse #User_Org instead, which contains the organizations that are granted by the role:


ComboTableData comboTableData = new ComboTableData(vars, this, "TABLEDIR", "AD_ORG_ID", "",
          "", Utility.getContext(this, vars, "#User_Org", "XXXX"),
          Utility.getContext(this, vars, "#User_Client", "XXXX"), '*');
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to design defect 0027459 scheduledreinaldoguerra Data from non-accessible organizations is obtained in Multidimensional reports 
caused by defect 0006199 closedalostale Role with Organisation access can't fill out many required combos 
related to defect 00286753.0PR15Q2 closedreinaldoguerra AccessibleOrgTree wrongly used in some reports 
related to defect 00307813.0PR15Q4 closedvmromanos Define new preference to be able to not include * organization when using #User_Org variable 

-  Notes
(0071608)
ngarcia (developer)
2014-11-12 13:39

It also happens in transactional windows
(0075117)
jorge-garcia (reporter)
2015-03-03 13:34
edited on: 2015-03-05 11:02

Test Plan General:
Remember to change the User Level = 'Organization' and delete some Org Access lines in the Role window for the used roles.

1) Test Plan 1: Asset report for depreciation schedule
As F&B España, S.A - Finance
Go to Asset Report for Deprecation Schedule.
 See that in the Organization combo only logged role's organization are available.
Click on Search button and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.

2) Test Plan 2: Invoice Taxes Report
As System Administrator:
Go to Process and Reports Window and activate this report
Go to Menu and activate Invoice Taxes Report menu
As F&B España, S.A - Finance
Go to Invoice Taxes Report and fill the mandatory filters.
 From Date: 01-01-2014
 To Date: 31-12-2014
Click on HTML Format and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.

3) Test Plan 3: Pareto Product Report
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Pareto Product Report

With the selected Role
Go to Pareto Product Report and fill the mandatory filters.
 Currency: Currency of the report
 Warehouse: Warehouse of the selected organization
Click on Search and realize that only data from selected organizations and warehouse is considered.

4) Test Plan 4: Create Budget Reports in Excel
As F&B España, S.A - Finance
Go to Create Budget Reports in Excel and fill the mandatory filters.
 General Ledger: F&B España, S.A. US/A/Euro
 Account Element: any
Realize that only organizations from the logged role appears in the Trx organization combo .Click on Generate Excel.

5) Test Plan 5: Payment Aging Balance
/* Optional*/ Former report.
As System Administrator,
Go to Report and Process window and activate the Payment Aging Balance Report
Go to the Menu window and activate the Payment Aging Balance menu

As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Payment Aging Balance report

With the selected role realize that only organizations from the logged role appears in the Organization list.

6) Test Plan 6: Sales Order Returns dimensional Report
As System Administrator,
Go to Report and Process window and activate the Sales Order Returns Dimensional Report
Go to the Menu window and activate the Sales Order Returns Dimensional Report if it's not active yet

As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Sales Order Returns Dimensional report

With the selected Role
Go to Sales Order Returns Dimensional Report and fill the mandatory filters.
 From Date: 01-01-2011
 To Date: 31-03-2011
See that in the Organization combo only logged role's organization are available.

7) Test Plan 7: Orders Awaiting Invoice Report
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Orders Awaiting Invoice report

With the selected role
Go to Orders Awaiting Invoice Report and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.

8) Test Plan 8: Shipments Dimensional Report
As F&B España, S.A - Finance
Go to Shipments Dimensional Report and fill the mandatory filters.
 From Date: 01-02-2011
 To Date: 31-02-2011
 See that in the Organization combo only logged role's organization are available.
Click on HTML Format and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.

9) Test Plan 9: Project Profitability
/* Optional*/
As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Project Profitability

With the selected role
Go to Project Profitability and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.

10) Test Plan 10: Withholding Report
As System Administrator,
Go to Report and Process window and activate the Withholding Report
Go to the Menu window and activate the Withholding Report if it's not active yet

As F&B International Group Admin,
Go to Role window and select one of the roles
Go to Report and Process Access tab and give access to the Withholding Report

With the selected Role
Go to Withholding Report and fill the mandatory filters.
See that in the Organization combo only logged role's organization are available.

11) Test Plan 11: Goods Receipts Dimensional Report
As F&B España, S.A - Finance
Go to Goods Receipts Dimensional Report and fill the mandatory filters.
 From Date: 01-02-2011
 To Date: 31-03-2011
 See that in the Organization combo only logged role's organization are available.

12) Test Plan 12: Sales Invoice Dimensional Report
As F&B España, S.A - Finance
Go to Sales Invoice Dimensional Report and fill the mandatory filters.
 From Date: 01-02-2011
 To Date: 31-03-2011
 See that in the Organization combo only logged role's organization are available.

13) Test Plan 13: Orders Awaiting Delivery Report
As F&B España S.A. - Warehouse
Go to Orders Awaiting Delivery Report
See that in the Organization combo only logged role's organization are available.
Click on PDF format button and realize that only data from logged role's organizations is considered, as these organizations are selected in the combo.

(0075486)
hgbot (developer)
2015-03-12 13:41

Repository: erp/devel/pi
Changeset: e5cd53fc814121bab1e327289c7636253b4f90b9
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Tue Feb 17 12:33:34 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/e5cd53fc814121bab1e327289c7636253b4f90b9 [^]

Fixed issue 27953 AccessibleOrgTree wrongly used in some reports

In many manual reports the organization combo is filled using:

ComboTableData comboTableData = new ComboTableData(vars, this,
  "TABLEDIR", "AD_ORG_ID", "", "", Utility.getContext(this, vars,
  "#AccessibleOrgTree", "XXXX"), Utility.getContext(this, vars,
  "#User_Client", "XXXX"), '*');

“#AccessibleOrgTree” context gets the list of all the granted organizations,
their ancestors and their descendants organizations. It's necessary to use
“#User_Org” instead, which contains the organizations that are granted
by the role:

ComboTableData comboTableData = new ComboTableData(vars, this,
  "TABLEDIR", "AD_ORG_ID", "", "", Utility.getContext(this, vars,
  "#User_Org", "XXXX"), Utility.getContext(this, vars,
  "#User_Client", "XXXX"), '*');

Reports from these folders had been checked:
src/org/openbravo/erpCommon/ad_reports
src/org/openbravo/erpReports

Files affected by this issue had been changed and tried

---
M modules/org.openbravo.reports.ordersawaitingdelivery/src/org/openbravo/reports/ordersawaitingdelivery/erpCommon/ad_reports/ReportOrderNotShipped.java
M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java
M src/org/openbravo/erpCommon/ad_reports/ReportAssetDepreciationSchedule.java
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
M src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java
M src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportTaxInvoiceJR.java
---
(0075487)
hgbot (developer)
2015-03-12 13:41

Repository: erp/devel/pi
Changeset: 9e165ce2e31193b859c04864358d30bbfb6f040d
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Tue Mar 03 12:04:20 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/9e165ce2e31193b859c04864358d30bbfb6f040d [^]

Related to issue 27953: Updated Copyright

Updated Copyright dates

---
M modules/org.openbravo.reports.ordersawaitingdelivery/src/org/openbravo/reports/ordersawaitingdelivery/erpCommon/ad_reports/ReportOrderNotShipped.java
M src/org/openbravo/erpCommon/ad_reports/ReportAgingBalance.java
M src/org/openbravo/erpCommon/ad_reports/ReportAnnualCertification.java
M src/org/openbravo/erpCommon/ad_reports/ReportAssetDepreciationSchedule.java
M src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
M src/org/openbravo/erpCommon/ad_reports/ReportCashFlow.java
M src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportOrderNotInvoiceJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportParetoProduct.java
M src/org/openbravo/erpCommon/ad_reports/ReportProjectProfitabilityJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportRefundSalesDimensionalAnalyses.java
M src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
M src/org/openbravo/erpCommon/ad_reports/ReportTaxInvoiceJR.java
---
(0075488)
aferraz (manager)
2015-03-12 13:42

Code review + Testing OK
(0075514)
hudsonbot (developer)
2015-03-13 03:18

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/6f599d5217c4 [^]
Maturity status: Test
(0075515)
hudsonbot (developer)
2015-03-13 03:18

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/6f599d5217c4 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2014-10-22 18:51 vmromanos New Issue
2014-10-22 18:51 vmromanos Assigned To => dmiguelez
2014-10-22 18:51 vmromanos Modules => Core
2014-10-22 18:51 vmromanos Triggers an Emergency Pack => No
2014-10-22 18:52 vmromanos Relationship added caused by 0006199
2014-10-22 18:52 vmromanos Relationship added related to 0027459
2014-11-10 19:06 ngarcia Issue Monitored: ngarcia
2014-11-12 13:39 ngarcia Note Added: 0071608
2014-11-18 19:12 jonalegriaesarte Resolution time => 1418943600
2014-12-22 16:48 shuehner Issue Monitored: shuehner
2015-01-19 13:21 Sandrahuguet Relationship added related to 0028675
2015-02-11 16:44 Sandrahuguet Assigned To dmiguelez => jorge-garcia
2015-02-18 11:56 Sandrahuguet Status new => scheduled
2015-02-18 11:56 Sandrahuguet fix_in_branch => pi
2015-02-26 08:48 Sandrahuguet Review Assigned To => aferraz
2015-02-26 08:48 Sandrahuguet fix_in_branch pi =>
2015-03-03 13:34 jorge-garcia Note Added: 0075117
2015-03-04 15:01 psanjuan Note Edited: 0075117 View Revisions
2015-03-05 11:02 psanjuan Note Edited: 0075117 View Revisions
2015-03-12 13:41 hgbot Checkin
2015-03-12 13:41 hgbot Note Added: 0075486
2015-03-12 13:41 hgbot Status scheduled => resolved
2015-03-12 13:41 hgbot Resolution open => fixed
2015-03-12 13:41 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/e5cd53fc814121bab1e327289c7636253b4f90b9 [^]
2015-03-12 13:41 hgbot Checkin
2015-03-12 13:41 hgbot Note Added: 0075487
2015-03-12 13:42 aferraz Note Added: 0075488
2015-03-12 13:42 aferraz Status resolved => closed
2015-03-13 03:18 hudsonbot Checkin
2015-03-13 03:18 hudsonbot Note Added: 0075514
2015-03-13 03:18 hudsonbot Checkin
2015-03-13 03:18 hudsonbot Note Added: 0075515
2015-09-07 14:11 vmromanos Relationship added related to 0030781


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker