Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0032398
TypeCategorySeverityReproducibilityDate SubmittedLast Update
feature request[Openbravo ERP] A. Platformminoralways2016-03-03 16:092016-06-17 19:37
ReporterJONHMView Statuspublic 
Assigned Toalostale 
PrioritynormalResolutionfixedFixed in Version3.0PR16Q3
StatusclosedFix in branchFixed in SCM revision5438c3739fa2
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product Version3.0PR15Q4.3SCM revision 
Review Assigned Tocaristu
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0032398: Role with Organization user level cannot see data in System/Client tables even if granted

DescriptionA user having a role set at Organization level cannot have access to "Currency" window and also cannot copy invoice lines in "Purchase Invoice" window
Steps To Reproduce1) Create a user with a role set as Organization Level and assign windows "Currency" and "Purchase Invoice"
2) Sign up with new user
3) Open Currency window
  -> The window is opened but no data is shown with message:
     "With your current role and settings, you cannot view this information"
4) Create a new invoice line, save it and push the button "Copy Lines"
   -> Error message:
      Entity Currency is not directly readable, only id and identifier properties are readable, property Currency.pricePrecision is neither of these.
Proposed SolutionThis default behavior will be preserved adding a new Preference (Bypass Access Level Entity Check) that will allow to skip these checks.

http://wiki.openbravo.com/wiki/Role#Role [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to design defect 0032869 acknowledgedplatform cannot switch to a role that's being defined in current session 
related to defect 0032870 closedcaristu Add log information in HttpSecureAppServlet when role has not access 

-  Notes
(0084693)
alostale (developer)
2016-03-03 16:42

This issue describes two topics:

1. Roles defined as Organization level cannot access data in tabs for System or System/Only tables, which is the case of Currency and Conversion Rates widows. This is as per design, so not an issue.
2. Copy Lines process requires explicit access to Currency entity. This can be reproduced with a role with access to only Sales Invoice window. This can be considered as an issue because having access to Sales Invoice window should grant access also to execute its processes.
(0086066)
hgbot (developer)
2016-04-29 07:30

Repository: erp/devel/pi
Changeset: 5438c3739fa273e3427257fcf231bf79ac5ba9d9
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Fri Mar 04 14:59:30 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/5438c3739fa273e3427257fcf231bf79ac5ba9d9 [^]

fixes 32398: Organization role can't see data in System/Client tables

  A new preference has been created in order to bypass check that compares role's
  user level with entity's access level to completely prevent accessing latter one.

---
M src-db/database/sourcedata/AD_REF_LIST.xml
M src-test/src/org/openbravo/test/AllAntTaskTests.java
M src-test/src/org/openbravo/test/security/CrossOrganizationReference.java
M src-test/src/org/openbravo/test/security/ExplicitCrossOrganizationReference.java
M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/dal/core/OBContext.java
M src/org/openbravo/dal/security/EntityAccessChecker.java
A src-test/src/org/openbravo/test/security/BypassAccessLevelCheck.java
---
(0086067)
hgbot (developer)
2016-04-29 07:30

Repository: erp/devel/pi
Changeset: e47bc61fb8bd1d4c2759b92c46131d4d0cf82287
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Thu Apr 28 14:03:21 2016 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/e47bc61fb8bd1d4c2759b92c46131d4d0cf82287 [^]

related to issue 32398: fixes test case

---
M src-test/src/org/openbravo/test/security/CrossOrganizationReference.java
---
(0086203)
caristu (developer)
2016-05-05 10:09

Found an error following these steps:

1) Create a new Role with Organization access level
2) Assign it to the Openbravo user
3) Log out and log in
4) In the Role window again, navigate to the newly created role
5) Give it access to the "F&B International Group" organization
6) Give it access to the "F&B España, S.A" organization
7) Using the profile menu, try to switch to this new role. The following error appears:

Error occured: org.openbravo.base.exception.OBException: java.lang.IllegalArgumentException: Error when saving default values

Stack Trace:

Caused by: java.lang.IllegalArgumentException: Error when saving default values
    at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler$UserSessionSetter.resetSession(UserInfoWidgetActionHandler.java:477)
    at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler$UserSessionSetter.access$1(UserInfoWidgetActionHandler.java:432)
    at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler.executeSaveCommand(UserInfoWidgetActionHandler.java:393)
    at org.openbravo.client.application.navigationbarcomponents.UserInfoWidgetActionHandler.execute(UserInfoWidgetActionHandler.java:91)
    ... 48 more
(0086206)
caristu (developer)
2016-05-05 11:13

The problem that caused this issue to be reopened is a design defect reported here: https://issues.openbravo.com/view.php?id=32869 [^]
(0086207)
caristu (developer)
2016-05-05 11:15

Code review + testing OK.

Following steps to reproduce and enabling the preference Bypass Access Level Entity Check:

- Currency window records can be seen (And they are not editable).
- It is possible to run the Copy Lines process successfully
(0086208)
caristu (developer)
2016-05-05 11:24

Updated wiki with new preference information: http://wiki.openbravo.com/wiki/Preference [^]
(0087499)
hudsonbot (developer)
2016-06-17 19:37

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2016-03-03 16:09 JONHM New Issue
2016-03-03 16:09 JONHM Assigned To => platform
2016-03-03 16:09 JONHM Modules => Core
2016-03-03 16:09 JONHM Triggers an Emergency Pack => No
2016-03-03 16:42 alostale Note Added: 0084693
2016-03-03 16:42 alostale Assigned To platform => Triage Finance
2016-03-03 16:42 alostale Category B. User interface => 07. Sales management
2016-04-18 13:13 egoitz Assigned To Triage Finance => platform
2016-04-18 13:13 egoitz Category 07. Sales management => A. Platform
2016-04-28 11:23 alostale Description Updated View Revisions
2016-04-28 11:23 alostale Steps to Reproduce Updated View Revisions
2016-04-28 11:58 alostale Summary Problem accessing some windows while user having Role set at Organization level => Role with Organization user level cannot see data in System/Client tables even if granted
2016-04-28 11:59 alostale Review Assigned To => caristu
2016-04-28 11:59 alostale Type defect => feature request
2016-04-28 11:59 alostale Proposed Solution updated
2016-04-29 07:30 hgbot Checkin
2016-04-29 07:30 hgbot Note Added: 0086066
2016-04-29 07:30 hgbot Status new => resolved
2016-04-29 07:30 hgbot Resolution open => fixed
2016-04-29 07:30 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/5438c3739fa273e3427257fcf231bf79ac5ba9d9 [^]
2016-04-29 07:30 hgbot Checkin
2016-04-29 07:30 hgbot Note Added: 0086067
2016-05-05 10:09 caristu Assigned To platform => alostale
2016-05-05 10:09 caristu Note Added: 0086203
2016-05-05 10:09 caristu Status resolved => new
2016-05-05 10:09 caristu Resolution fixed => open
2016-05-05 10:47 alostale Relationship added related to 0032869
2016-05-05 11:12 caristu Status new => scheduled
2016-05-05 11:13 caristu Note Added: 0086206
2016-05-05 11:13 caristu Status scheduled => resolved
2016-05-05 11:13 caristu Fixed in Version => 3.0PR16Q3
2016-05-05 11:13 caristu Resolution open => fixed
2016-05-05 11:15 caristu Note Added: 0086207
2016-05-05 11:15 caristu Status resolved => closed
2016-05-05 11:24 caristu Note Added: 0086208
2016-05-05 11:25 caristu Relationship added related to 0032870
2016-06-17 19:37 hudsonbot Checkin
2016-06-17 19:37 hudsonbot Note Added: 0087499


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker