Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0028842
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajoralways2015-02-03 12:412016-06-17 19:36
ReporterjecharriView Statuspublic 
Assigned ToNaroaIriarte 
PriorityurgentResolutionfixedFixed in Version3.0PR15Q2
StatusclosedFix in branchFixed in SCM revision98cf7142eebe
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browserGoogle Chrome
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0028842: When you attach a file, the created record in table c_file has context organization instead of document organization

DescriptionWhen you attach a file, the created record in table c_file has context organization instead of document organization
Steps To Reproduce-Login to ERP
-Your context should have "EspaƱa Norte" organization
-Go to window sales order and select an org with organization "F&B US East Coast"
-Attach a file
-Login with a role that only have access to "F&B US East Coast" verify that can not see attached file

The problem is that created record in table c_file has the context organization instead of document organization.

It could be necessary a modulescript
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0029057 closedAugustoMauch When you create a note, the created record in table has context organization instead of document organization 
related to defect 00290643.0PR15Q3 closedNaroaIriarte When you create a note, the created record in table obuiapp_note has context organization instead of document organization 
related to defect 00293133.0PR15Q2 closedalostale Download attachments selecting several records is not working fine 
related to defect 0029326 closedalostale attachment download from multi record does not perform correct organization access check 

-  Notes
(0074063)
Guillaume_Jump (reporter)
2015-02-04 03:54

Good Morning,

Doing more tests on that we found that the same problem also applies to Notes.
(0075150)
hgbot (developer)
2015-03-04 12:18

Repository: erp/devel/pi
Changeset: afec99f5af4390c1360af46f504bd7399f709f32
Author: Naroa Iriarte <naroa.iriarte <at> openbravo.com>
Date: Thu Feb 26 13:45:06 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/afec99f5af4390c1360af46f504bd7399f709f32 [^]

Fixed issue 28842: There are problems to handle attachments.

There were two problems:
First: When storing an attachment in the database (c_file table), the current
 organization of the user was used instead of the organization of the document where the
file is being attached to. The aim of this fix is to take the value of the organization
of the attached document instead of the current user organization.
Second: When an attachment was created with an organization and after that, the
 organization of the document was changed, it was not possible to download it, update it nor delete
it with a user who does not have access to the organization used to create the attachment.

To fix the first part, a new field that stores the document organization has been added to the canvas
 of the OBAttachmentsSectionItem class in the fillAttachments function. After that the
 field is sent as a param in the request, and can be used in the TabAttachments.java class
to be included to create the new record in c_file.

To fix the second part, the way the attachments are retrieved in the TabAttachments and in the
AttachmentsAH classes has been modified. Now the automated organization filter is disabled,
so the organization of the attachment is not taken into accout. It is needed that the user has at
least readable access to the document's organization for downloading, deleting or editing its attachments
a new method has been added to the SecurityChecker class for checking this.

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/AttachmentsAH.java
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-attachments.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-linked-items.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form.js
M src/org/openbravo/dal/security/SecurityChecker.java
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
(0075151)
AugustoMauch (developer)
2015-03-04 12:19

Code reviewed and verified in pi@afec99f5af43
(0075152)
AugustoMauch (developer)
2015-03-04 12:27

A module script was not needed, as now the organization of the attachment (which was the data that would have been needed to be corrected in the modulescript) is not taken into accout to interact (download, edit, remove) with an attachment.

Now, if a user has access to the document where the files are attached to, it will have access to all its attachments.
(0075159)
hgbot (developer)
2015-03-04 15:02

Repository: erp/devel/pi
Changeset: cc464383f9e11fa224a55341a45914c46433c04f
Author: Augusto Mauch <augusto.mauch <at> openbravo.com>
Date: Wed Mar 04 15:01:42 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/cc464383f9e11fa224a55341a45914c46433c04f [^]

Related with issue 28842: Improves javadoc of checkReadableAccess method

---
M src/org/openbravo/dal/security/SecurityChecker.java
---
(0075206)
hudsonbot (developer)
2015-03-05 17:01

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/2369c54c9f14 [^]
Maturity status: Test
(0075207)
hudsonbot (developer)
2015-03-05 17:01

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/2369c54c9f14 [^]
Maturity status: Test
(0085698)
hgbot (developer)
2016-04-18 13:02

Repository: erp/devel/pi
Changeset: 98cf7142eebe2d555da6108bb5f51f68cc325afb
Author: Naroa Iriarte <naroa.iriarte <at> openbravo.com>
Date: Thu Feb 26 13:45:06 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/98cf7142eebe2d555da6108bb5f51f68cc325afb [^]

Fixed issue 28842: There are problems to handle attachments.

There were two problems:
First: When storing an attachment in the database (c_file table), the current
 organization of the user was used instead of the organization of the document where the
file is being attached to. The aim of this fix is to take the value of the organization
of the attached document instead of the current user organization.
Second: When an attachment was created with an organization and after that, the
 organization of the document was changed, it was not possible to download it, update it nor delete
it with a user who does not have access to the organization used to create the attachment.

To fix the first part, a new field that stores the document organization has been added to the canvas
 of the OBAttachmentsSectionItem class in the fillAttachments function. After that the
 field is sent as a param in the request, and can be used in the TabAttachments.java class
to be included to create the new record in c_file.

To fix the second part, the way the attachments are retrieved in the TabAttachments and in the
AttachmentsAH classes has been modified. Now the automated organization filter is disabled,
so the organization of the attachment is not taken into accout. It is needed that the user has at
least readable access to the document's organization for downloading, deleting or editing its attachments
a new method has been added to the SecurityChecker class for checking this.

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/AttachmentsAH.java
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-attachments.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-linked-items.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form.js
M src/org/openbravo/dal/security/SecurityChecker.java
M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
---
(0085699)
hgbot (developer)
2016-04-18 13:02

Repository: erp/devel/pi
Changeset: b036e3dfa2a5e8924a164e9b237a3582450a2a75
Author: Augusto Mauch <augusto.mauch <at> openbravo.com>
Date: Wed Mar 04 15:01:42 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/b036e3dfa2a5e8924a164e9b237a3582450a2a75 [^]

Related with issue 28842: Improves javadoc of checkReadableAccess method

---
M src/org/openbravo/dal/security/SecurityChecker.java
---
(0085734)
gorkaion (developer)
2016-04-19 09:54

issue reopened by attachment enhancement project merge. checked that it is not reproduced.
(0087457)
hudsonbot (developer)
2016-06-17 19:36

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^]
Maturity status: Test
(0087458)
hudsonbot (developer)
2016-06-17 19:36

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2015-02-03 12:41 jecharri New Issue
2015-02-03 12:41 jecharri Assigned To => AugustoMauch
2015-02-03 12:41 jecharri Web browser => Google Chrome
2015-02-03 12:41 jecharri Modules => Core
2015-02-03 12:41 jecharri Triggers an Emergency Pack => No
2015-02-04 03:54 Guillaume_Jump Note Added: 0074063
2015-02-09 12:38 alostale Status new => scheduled
2015-02-09 12:38 alostale Assigned To AugustoMauch => NaroaIriarte
2015-02-09 12:38 alostale fix_in_branch => pi
2015-02-25 08:40 alostale Relationship added related to 0029057
2015-02-25 13:15 caristu Relationship added related to 0029064
2015-03-04 12:17 AugustoMauch Issue Monitored: AugustoMauch
2015-03-04 12:17 AugustoMauch Review Assigned To => AugustoMauch
2015-03-04 12:17 AugustoMauch Web browser Google Chrome => Google Chrome
2015-03-04 12:17 AugustoMauch fix_in_branch pi =>
2015-03-04 12:18 hgbot Checkin
2015-03-04 12:18 hgbot Note Added: 0075150
2015-03-04 12:18 hgbot Status scheduled => resolved
2015-03-04 12:18 hgbot Resolution open => fixed
2015-03-04 12:18 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/afec99f5af4390c1360af46f504bd7399f709f32 [^]
2015-03-04 12:19 AugustoMauch Note Added: 0075151
2015-03-04 12:19 AugustoMauch Status resolved => closed
2015-03-04 12:19 AugustoMauch Fixed in Version => 3.0PR15Q2
2015-03-04 12:26 AugustoMauch Web browser Google Chrome => Google Chrome
2015-03-04 12:26 AugustoMauch Steps to Reproduce Updated View Revisions
2015-03-04 12:27 AugustoMauch Note Added: 0075152
2015-03-04 15:02 hgbot Checkin
2015-03-04 15:02 hgbot Note Added: 0075159
2015-03-05 17:01 hudsonbot Checkin
2015-03-05 17:01 hudsonbot Note Added: 0075206
2015-03-05 17:01 hudsonbot Checkin
2015-03-05 17:01 hudsonbot Note Added: 0075207
2015-03-18 08:59 alostale Relationship added related to 0024289
2015-03-18 08:59 alostale Relationship deleted related to 0024289
2015-03-18 09:01 alostale Relationship added related to 0029313
2015-03-18 09:19 alostale Relationship added related to 0029326
2016-04-18 13:02 hgbot Checkin
2016-04-18 13:02 hgbot Note Added: 0085698
2016-04-18 13:02 hgbot Status closed => resolved
2016-04-18 13:02 hgbot Fixed in SCM revision http://code.openbravo.com/erp/devel/pi/rev/afec99f5af4390c1360af46f504bd7399f709f32 [^] => http://code.openbravo.com/erp/devel/pi/rev/98cf7142eebe2d555da6108bb5f51f68cc325afb [^]
2016-04-18 13:02 hgbot Checkin
2016-04-18 13:02 hgbot Note Added: 0085699
2016-04-19 09:54 gorkaion Note Added: 0085734
2016-04-19 09:54 gorkaion Status resolved => closed
2016-06-17 19:36 hudsonbot Checkin
2016-06-17 19:36 hudsonbot Note Added: 0087457
2016-06-17 19:36 hudsonbot Checkin
2016-06-17 19:36 hudsonbot Note Added: 0087458


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker