Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0032398 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| feature request | [Openbravo ERP] A. Platform | minor | always | 2016-03-03 16:09 | 2016-06-17 19:37 | |||
| Reporter | JONHM | View Status | public | |||||
| Assigned To | alostale | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | 3.0PR16Q3 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | 5438c3739fa2 | ||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | 3.0PR15Q4.3 | SCM revision | ||||||
| Review Assigned To | caristu | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0032398: Role with Organization user level cannot see data in System/Client tables even if granted | |||||||
| Description | A user having a role set at Organization level cannot have access to "Currency" window and also cannot copy invoice lines in "Purchase Invoice" window | |||||||
| Steps To Reproduce | 1) Create a user with a role set as Organization Level and assign windows "Currency" and "Purchase Invoice" 2) Sign up with new user 3) Open Currency window -> The window is opened but no data is shown with message: "With your current role and settings, you cannot view this information" 4) Create a new invoice line, save it and push the button "Copy Lines" -> Error message: Entity Currency is not directly readable, only id and identifier properties are readable, property Currency.pricePrecision is neither of these. | |||||||
| Proposed Solution | This default behavior will be preserved adding a new Preference (Bypass Access Level Entity Check) that will allow to skip these checks. http://wiki.openbravo.com/wiki/Role#Role [^] | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||
|
|||||||||||||||
 Relationships |
|
Notes |
|
|
(0084693) alostale (manager) 2016-03-03 16:42 |
This issue describes two topics: 1. Roles defined as Organization level cannot access data in tabs for System or System/Only tables, which is the case of Currency and Conversion Rates widows. This is as per design, so not an issue. 2. Copy Lines process requires explicit access to Currency entity. This can be reproduced with a role with access to only Sales Invoice window. This can be considered as an issue because having access to Sales Invoice window should grant access also to execute its processes. |
|
(0086066) hgbot (developer) 2016-04-29 07:30 |
Repository: erp/devel/pi Changeset: 5438c3739fa273e3427257fcf231bf79ac5ba9d9 Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Fri Mar 04 14:59:30 2016 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/5438c3739fa273e3427257fcf231bf79ac5ba9d9 [^] fixes 32398: Organization role can't see data in System/Client tables A new preference has been created in order to bypass check that compares role's user level with entity's access level to completely prevent accessing latter one. --- M src-db/database/sourcedata/AD_REF_LIST.xml M src-test/src/org/openbravo/test/AllAntTaskTests.java M src-test/src/org/openbravo/test/security/CrossOrganizationReference.java M src-test/src/org/openbravo/test/security/ExplicitCrossOrganizationReference.java M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java M src/org/openbravo/base/secureApp/LoginUtils.java M src/org/openbravo/dal/core/OBContext.java M src/org/openbravo/dal/security/EntityAccessChecker.java A src-test/src/org/openbravo/test/security/BypassAccessLevelCheck.java --- |
|
(0086067) hgbot (developer) 2016-04-29 07:30 |
Repository: erp/devel/pi Changeset: e47bc61fb8bd1d4c2759b92c46131d4d0cf82287 Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Thu Apr 28 14:03:21 2016 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/e47bc61fb8bd1d4c2759b92c46131d4d0cf82287 [^] related to issue 32398: fixes test case --- M src-test/src/org/openbravo/test/security/CrossOrganizationReference.java --- |
|
(0086203) caristu (developer) 2016-05-05 10:09 |
Found an error following these steps: 1) Create a new Role with Organization access level 2) Assign it to the Openbravo user 3) Log out and log in 4) In the Role window again, navigate to the newly created role 5) Give it access to the "F&B International Group" organization 6) Give it access to the "F&B España, S.A" organization 7) Using the profile menu, try to switch to this new role. The following error appears: Error occured: org.openbravo.base.exception.OBException: java.lang.IllegalArgumentException: Error when saving default values Stack Trace: Caused by: java.lang.IllegalArgumentException: Error when saving default values at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler$UserSessionSetter.resetSession(UserInfoWidgetActionHandler.java:477) at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler$UserSessionSetter.access$1(UserInfoWidgetActionHandler.java:432) at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler.executeSaveCommand(UserInfoWidgetActionHandler.java:393) at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler.execute(UserInfoWidgetActionHandler.java:91) ... 48 more |
|
(0086206) caristu (developer) 2016-05-05 11:13 |
The problem that caused this issue to be reopened is a design defect reported here: https://issues.openbravo.com/view.php?id=32869 [^] |
|
(0086207) caristu (developer) 2016-05-05 11:15 |
Code review + testing OK. Following steps to reproduce and enabling the preference Bypass Access Level Entity Check: - Currency window records can be seen (And they are not editable). - It is possible to run the Copy Lines process successfully |
|
(0086208) caristu (developer) 2016-05-05 11:24 |
Updated wiki with new preference information: http://wiki.openbravo.com/wiki/Preference [^] |
|
(0087499) hudsonbot (developer) 2016-06-17 19:37 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^] Maturity status: Test |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2016-03-03 16:09 | JONHM | New Issue | |
| 2016-03-03 16:09 | JONHM | Assigned To | => platform |
| 2016-03-03 16:09 | JONHM | Modules | => Core |
| 2016-03-03 16:09 | JONHM | Resolution time | => 1456786800 |
| 2016-03-03 16:09 | JONHM | Triggers an Emergency Pack | => No |
| 2016-03-03 16:42 | alostale | Note Added: 0084693 | |
| 2016-03-03 16:42 | alostale | Assigned To | platform => Triage Finance |
| 2016-03-03 16:42 | alostale | Category | B. User interface => 07. Sales management |
| 2016-04-04 12:39 | egoitz | Resolution time | 1456786800 => 1462053600 |
| 2016-04-18 13:13 | egoitz | Assigned To | Triage Finance => platform |
| 2016-04-18 13:13 | egoitz | Category | 07. Sales management => A. Platform |
| 2016-04-28 11:23 | alostale | Description Updated | View Revisions |
| 2016-04-28 11:23 | alostale | Steps to Reproduce Updated | View Revisions |
| 2016-04-28 11:58 | alostale | Summary | Problem accessing some windows while user having Role set at Organization level => Role with Organization user level cannot see data in System/Client tables even if granted |
| 2016-04-28 11:59 | alostale | Review Assigned To | => caristu |
| 2016-04-28 11:59 | alostale | Type | defect => feature request |
| 2016-04-28 11:59 | alostale | Proposed Solution updated | |
| 2016-04-29 07:30 | hgbot | Checkin | |
| 2016-04-29 07:30 | hgbot | Note Added: 0086066 | |
| 2016-04-29 07:30 | hgbot | Status | new => resolved |
| 2016-04-29 07:30 | hgbot | Resolution | open => fixed |
| 2016-04-29 07:30 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/5438c3739fa273e3427257fcf231bf79ac5ba9d9 [^] |
| 2016-04-29 07:30 | hgbot | Checkin | |
| 2016-04-29 07:30 | hgbot | Note Added: 0086067 | |
| 2016-05-05 10:09 | caristu | Assigned To | platform => alostale |
| 2016-05-05 10:09 | caristu | Note Added: 0086203 | |
| 2016-05-05 10:09 | caristu | Status | resolved => new |
| 2016-05-05 10:09 | caristu | Resolution | fixed => open |
| 2016-05-05 10:47 | alostale | Relationship added | related to 0032869 |
| 2016-05-05 11:12 | caristu | Status | new => scheduled |
| 2016-05-05 11:13 | caristu | Note Added: 0086206 | |
| 2016-05-05 11:13 | caristu | Status | scheduled => resolved |
| 2016-05-05 11:13 | caristu | Fixed in Version | => 3.0PR16Q3 |
| 2016-05-05 11:13 | caristu | Resolution | open => fixed |
| 2016-05-05 11:15 | caristu | Note Added: 0086207 | |
| 2016-05-05 11:15 | caristu | Status | resolved => closed |
| 2016-05-05 11:24 | caristu | Note Added: 0086208 | |
| 2016-05-05 11:25 | caristu | Relationship added | related to 0032870 |
| 2016-06-17 19:37 | hudsonbot | Checkin | |
| 2016-06-17 19:37 | hudsonbot | Note Added: 0087499 | |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |