Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0029326 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] A. Platform | minor | have not tried | 2015-03-18 09:18 | 2015-03-20 12:35 | |||
| Reporter | alostale | View Status | public | |||||
| Assigned To | alostale | |||||||
| Priority | urgent | Resolution | fixed | Fixed in Version | 3.0PR15Q2 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | fe1d0d1cf4ba | ||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | AugustoMauch | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0029326: attachment download from multi record does not perform correct organization access check | |||||||
| Description | When downloading attachments the attachment's record's organization is checked to guarantee current user has access to it. Note this is done a extra security check to prevent direct requests to ungranted records but it is not possible to do it from UI. This check is not correctly done when downloading attachments from different records at once. | |||||||
| Steps To Reproduce | It can't be reproduced from UI. Two ways: 1. Generate a request to download attachments from multiple records, being at least one of them in an organization the current session doesn't have access to. --> ERROR: it is allowed but it shouldn't 2. Debug org.openbravo.erpCommon.businessUtility.TabAttachments.printPageFileMultiple and download attachments from several records at once. --> ERROR: SecurityChecker is bypassed because object is null in this code if (object instanceof OrganizationEnabled) { SecurityChecker.getInstance().checkReadableAccess((OrganizationEnabled) object); } | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
|
(0075719) hgbot (developer) 2015-03-18 09:27 |
Repository: erp/devel/pi Changeset: fe1d0d1cf4ba858c8e162a1405866dfbff007f38 Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Wed Mar 18 09:26:06 2015 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/fe1d0d1cf4ba858c8e162a1405866dfbff007f38 [^] fixed bug 29326: multi record attachment download does not check org access When downloading attachemnts from different records at once, attachment's record's organization was not checked to be accessible. The problem was it tried to get a single record with id as concatenation of all ids. The fix iterates over all the records and check org access for each of them individually. --- M src/org/openbravo/erpCommon/businessUtility/TabAttachments.java --- |
|
(0075743) hudsonbot (developer) 2015-03-18 15:38 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/327af339611e [^] Maturity status: Test |
|
(0075790) AugustoMauch (manager) 2015-03-20 12:35 |
Code reviewed and verified in pi@b7fd6844f03f |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2015-03-18 09:18 | alostale | New Issue | |
| 2015-03-18 09:18 | alostale | Assigned To | => platform |
| 2015-03-18 09:18 | alostale | Modules | => Core |
| 2015-03-18 09:18 | alostale | Triggers an Emergency Pack | => No |
| 2015-03-18 09:19 | alostale | Relationship added | related to 0028842 |
| 2015-03-18 09:19 | alostale | Assigned To | platform => alostale |
| 2015-03-18 09:20 | alostale | Review Assigned To | => AugustoMauch |
| 2015-03-18 09:27 | hgbot | Checkin | |
| 2015-03-18 09:27 | hgbot | Note Added: 0075719 | |
| 2015-03-18 09:27 | hgbot | Status | new => resolved |
| 2015-03-18 09:27 | hgbot | Resolution | open => fixed |
| 2015-03-18 09:27 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/fe1d0d1cf4ba858c8e162a1405866dfbff007f38 [^] |
| 2015-03-18 15:38 | hudsonbot | Checkin | |
| 2015-03-18 15:38 | hudsonbot | Note Added: 0075743 | |
| 2015-03-20 12:35 | AugustoMauch | Note Added: 0075790 | |
| 2015-03-20 12:35 | AugustoMauch | Status | resolved => closed |
| 2015-03-20 12:35 | AugustoMauch | Fixed in Version | => 3.0PR15Q2 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |