Project:
View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||||||
ID | ||||||||||||
0030253 | ||||||||||||
Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
design defect | [Openbravo ERP] C. Security | major | always | 2015-06-26 09:12 | 2022-02-01 08:09 | |||||||
Reporter | vmromanos | View Status | public | |||||||||
Assigned To | Triage Platform Base | |||||||||||
Priority | normal | Resolution | open | Fixed in Version | ||||||||
Status | new | Fix in branch | Fixed in SCM revision | |||||||||
Projection | none | ETA | none | Target Version | ||||||||
OS | Any | Database | Any | Java version | ||||||||
OS Version | Database version | Ant version | ||||||||||
Product Version | SCM revision | |||||||||||
Review Assigned To | ||||||||||||
Web browser | ||||||||||||
Modules | Core | |||||||||||
Regression level | ||||||||||||
Regression date | ||||||||||||
Regression introduced in release | ||||||||||||
Regression introduced by commit | ||||||||||||
Triggers an Emergency Pack | No | |||||||||||
Summary | 0030253: Automatic roles and initial organization setup inconsistency | |||||||||||
Description | A role can be defined as Manual = N, which means that the role automatically gets all standard user plus admin privileges, even when new elements such as windows, processes, forms, widget classes, organizations are added. http://wiki.openbravo.com/wiki/Role [^] When you run an Initial Org Setup, you have the ability to create a new role which is associated only to the newly created organization. This is working fine. http://wiki.openbravo.com/wiki/Initial_organization_setup [^] However, if you create another organization, the system will automatically add this new organization to the role previously created in the first Initial Organization Setup run. This could be considered a security issue for the first role, because probably the user expects that this role only has access to the organization created for it. The inconsistency comes from the definition of the 2 processes that might create conflicts: * Initial Org Setup creates an Automatic Role (Manual=N) with access only for the selected organization * New organizations are automatically added to roles with Manual=N This behavior is controlled into the AD_ORG_TRG trigger: IF(INSERTING) THEN -- Add to all roles of the client INSERT INTO AD_Role_OrgAccess ( AD_Role_OrgAccess_ID, AD_Role_ID, AD_Client_ID, AD_Org_ID, IsActive, Created, CreatedBy, Updated, UpdatedBy, is_org_admin ) SELECT get_uuid(), AD_Role_ID, :new.AD_Client_ID, :new.AD_Org_ID, 'Y', now(), :new.CreatedBy, now(), :new.CreatedBy, 'Y' FROM AD_Role WHERE AD_Client_ID=:new.AD_Client_ID AND IsManual='N'; | |||||||||||
Steps To Reproduce | As System Admin Create a new client Log into the new client Run Initial Organization Setup Name: o1 Org user name: 01 Go to Role window Verify a new role for o1 organization only has been created Run Initial Organization Setup Name: o2 Org user name: 02 Go to Role window Verify a new role for o2 organization only has been created Verify the previous role for organization o1 has now access to o2 too. This situation could create a security problem | |||||||||||
Proposed Solution | 1. Study the situation and decide a solution. Idea: Add a new flag at role level to control whether to add new organizations to the role. AD_ORG_TRG should be adapted 2. On the other hand, AD_ORG_TRG should only run this code for Client/Organization or Organization only access level roles. Right now it adds the organization to other access levels (like Client or System) and that's not needed at all. | |||||||||||
Tags | No tags attached. | |||||||||||
Attached Files | ||||||||||||
Relationships [ Relation Graph ] [ Dependency Graph ] | |||||||||||||||
|
Issue History | |||
Date Modified | Username | Field | Change |
2015-06-26 09:12 | vmromanos | New Issue | |
2015-06-26 09:12 | vmromanos | Assigned To | => platform |
2015-06-26 09:12 | vmromanos | Modules | => Core |
2015-06-26 09:12 | vmromanos | Triggers an Emergency Pack | => No |
2015-06-26 09:15 | vmromanos | Proposed Solution updated | |
2015-06-26 09:16 | vmromanos | Relationship added | related to 0030057 |
2015-06-26 09:17 | vmromanos | Relationship added | caused by 0010548 |
2022-02-01 08:09 | alostale | Assigned To | platform => Triage Platform Base |
Copyright © 2000 - 2009 MantisBT Group |