Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0033166 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] 01. General setup | major | always | 2016-06-06 18:13 | 2017-02-01 15:41 | |||
| Reporter | ngarcia | View Status | public | |||||
| Assigned To | alostale | |||||||
| Priority | urgent | Resolution | fixed | Fixed in Version | 3.0PR16Q3 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | 463564b77a03 | ||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | caristu | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0033166: Role with access to one organization can edit all of them in Organization window | |||||||
| Description | Role with access to one organization can edit all of them in Organization window | |||||||
| Steps To Reproduce | As group admin role: Create a new Role: User Level: Client+Organization Advanced: Y Remove all the organizations except F&B España - Región Norte Add the role to Openbravo User Log out and log in with previously created role Go to Organization window and observe you can edit all the organizations | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||
 Relationships |
|
Notes |
|
|
(0087235) alostale (manager) 2016-06-14 10:29 |
Originally, 2 issues were reported in this one, 0033255 has been created to split it. |
|
(0087281) hgbot (developer) 2016-06-15 09:07 |
Repository: erp/devel/pi Changeset: ac14fb7ab6ef4aa3bddb9e0b6907eafa4d3b1eeb Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Wed Jun 15 08:39:05 2016 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/ac14fb7ab6ef4aa3bddb9e0b6907eafa4d3b1eeb [^] related to bug 33166: writable access is not checked when editing client/org Code clean up: consolidated 3 implementations of checkWritable in one: - SecurityChecker.checkWriteAccess duplicated code in SecurityChecker.isWritable with the only difference of returning a boolean instead of throwing an exception. Now isWritable invokes checkWriteAccess. - FIC implemented again this check to make the UI readonly for non writable rows, now it invokes SecurityChecker.isWritable method. --- M modules/org.openbravo.client.application/src/org/openbravo/client/application/window/FormInitializationComponent.java M src/org/openbravo/dal/security/SecurityChecker.java --- |
|
(0087282) hgbot (developer) 2016-06-15 09:07 |
Repository: erp/devel/pi Changeset: 463564b77a032485223cc070cf0aa66f6f0e03d8 Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Wed Jun 15 09:06:46 2016 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/463564b77a032485223cc070cf0aa66f6f0e03d8 [^] fixed bug 33166: writable access is not checked when editing client/org A role without access to organization A could edit it in Organization window. Writable access was bypassed in this case both in UI and DAL. This patch includes two fixes: - DAL (SecurityChecker) treats instances of Client and Organization objects as special cases getting the client or organization ids not from FK property but directly as their id. In this manner checking for those entities is performed. - Grid UI. Similar implementation is done to decide whether a row should be marked as ready only. In this case it is not possible to reuse previous code as the checks are done on a json object instead of on a DAL object. --- M modules/org.openbravo.service.json/src/org/openbravo/service/json/DefaultJsonDataService.java M src/org/openbravo/dal/security/SecurityChecker.java --- |
|
(0087382) caristu (developer) 2016-06-17 10:14 |
Code review + testing OK Verified in pi@a3288a6ce595 |
|
(0087618) hudsonbot (developer) 2016-06-17 19:38 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^] Maturity status: Test |
|
(0087619) hudsonbot (developer) 2016-06-17 19:38 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^] Maturity status: Test |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2016-06-06 18:13 | ngarcia | New Issue | |
| 2016-06-06 18:13 | ngarcia | Assigned To | => Triage Finance |
| 2016-06-06 18:13 | ngarcia | Modules | => Core |
| 2016-06-06 18:13 | ngarcia | Resolution time | => 1466978400 |
| 2016-06-06 18:13 | ngarcia | Triggers an Emergency Pack | => No |
| 2016-06-06 18:14 | ngarcia | Issue Monitored: networkb | |
| 2016-06-06 18:57 | aferraz | Assigned To | Triage Finance => platform |
| 2016-06-14 10:27 | alostale | Issue cloned | 0033255 |
| 2016-06-14 10:27 | alostale | Relationship added | related to 0033255 |
| 2016-06-14 10:28 | alostale | Summary | Role with access to one organization can edit all of them in Organization window, some of them not shown in tree view => Role with access to one organization can edit all of them in Organization window |
| 2016-06-14 10:28 | alostale | Description Updated | View Revisions |
| 2016-06-14 10:28 | alostale | Steps to Reproduce Updated | View Revisions |
| 2016-06-14 10:29 | alostale | Note Added: 0087235 | |
| 2016-06-14 10:30 | alostale | Relationship added | related to 0033198 |
| 2016-06-15 09:02 | alostale | Review Assigned To | => caristu |
| 2016-06-15 09:07 | hgbot | Checkin | |
| 2016-06-15 09:07 | hgbot | Note Added: 0087281 | |
| 2016-06-15 09:07 | hgbot | Checkin | |
| 2016-06-15 09:07 | hgbot | Note Added: 0087282 | |
| 2016-06-15 09:07 | hgbot | Status | new => resolved |
| 2016-06-15 09:07 | hgbot | Resolution | open => fixed |
| 2016-06-15 09:07 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/463564b77a032485223cc070cf0aa66f6f0e03d8 [^] |
| 2016-06-17 10:14 | caristu | Note Added: 0087382 | |
| 2016-06-17 10:14 | caristu | Status | resolved => closed |
| 2016-06-17 10:14 | caristu | Fixed in Version | => 3.0PR16Q3 |
| 2016-06-17 19:38 | hudsonbot | Checkin | |
| 2016-06-17 19:38 | hudsonbot | Note Added: 0087618 | |
| 2016-06-17 19:38 | hudsonbot | Checkin | |
| 2016-06-17 19:38 | hudsonbot | Note Added: 0087619 | |
| 2016-06-27 09:25 | caristu | Relationship added | related to 0033355 |
| 2017-01-25 08:37 | caristu | Relationship added | causes 0034977 |
| 2017-02-01 15:41 | alostale | Assigned To | platform => alostale |
| 2019-03-11 13:26 | jarmendariz | Relationship added | related to 0040303 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |