0033355: Potential security issue in Process Definitions

diff --git a/modules/org.openbravo.client.application/src/org/openbravo/client/application/ApplicationComponentProvider.java b/modules/org.openbravo.client.application/src/org/openbravo/client/application/ApplicationComponentProvider.java --- a/modules/org.openbravo.client.application/src/org/openbravo/client/application/ApplicationComponentProvider.java +++ b/modules/org.openbravo.client.application/src/org/openbravo/client/application/ApplicationComponentProvider.java @@ -478,6 +478,8 @@ // Product Services globalResources.add(createStaticResource("web/js/productServices.js", true)); + globalResources.add(createStaticResource("web/js/recreateAuthKey.js", true)); + return globalResources; } diff --git a/src-db/database/model/tables/AD_CLIENT.xml b/src-db/database/model/tables/AD_CLIENT.xml --- a/src-db/database/model/tables/AD_CLIENT.xml +++ b/src-db/database/model/tables/AD_CLIENT.xml @@ -197,6 +197,14 @@ <default><![CDATA[0]]></default> <onCreateDefault/> </column> + <column name="RESETAUTHKEY" primaryKey="false" required="false" type="CHAR" size="1" autoIncrement="false"> + <default/> + <onCreateDefault/> + </column> + <column name="AUTH_KEY" primaryKey="false" required="false" type="VARCHAR" size="60" autoIncrement="false"> + <default/> + <onCreateDefault/> + </column> <foreign-key foreignTable="AD_CLIENT" name="AD_CLIENT_AD_CLIENT"> <reference local="AD_CLIENT_ID" foreign="AD_CLIENT_ID"/> </foreign-key> diff --git a/src-db/database/sourcedata/AD_COLUMN.xml b/src-db/database/sourcedata/AD_COLUMN.xml --- a/src-db/database/sourcedata/AD_COLUMN.xml +++ b/src-db/database/sourcedata/AD_COLUMN.xml @@ -244878,7 +244878,7 @@  <ISDESENCRYPTABLE><![CDATA[N]]></ISDESENCRYPTABLE>  <DEVELOPMENTSTATUS><![CDATA[RE]]></DEVELOPMENTSTATUS>  <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID> - <POSITION><![CDATA[51]]></POSITION> + <POSITION><![CDATA[49]]></POSITION>  <ISTRANSIENT><![CDATA[N]]></ISTRANSIENT>  <ISAUTOSAVE><![CDATA[Y]]></ISAUTOSAVE>  <VALIDATEONNEW><![CDATA[Y]]></VALIDATEONNEW> @@ -351599,6 +351599,45 @@  <ALLOWED_CROSS_ORG_LINK><![CDATA[N]]></ALLOWED_CROSS_ORG_LINK> </AD_COLUMN> +<AD_COLUMN> + <AD_COLUMN_ID><![CDATA[C4E56F2B03F14E478668FAB869D50DED]]></AD_COLUMN_ID> + <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> + <AD_ORG_ID><![CDATA[0]]></AD_ORG_ID> + <ISACTIVE><![CDATA[Y]]></ISACTIVE> + <NAME><![CDATA[EM_Obstsyn_Resetauthkey]]></NAME> + <DESCRIPTION><![CDATA[Proces to recreate the mobile server authentication key]]></DESCRIPTION> + <HELP><![CDATA[Proces to recreate the mobile server authentication key]]></HELP> + <COLUMNNAME><![CDATA[Resetauthkey]]></COLUMNNAME> + <AD_TABLE_ID><![CDATA[112]]></AD_TABLE_ID> + <AD_REFERENCE_ID><![CDATA[28]]></AD_REFERENCE_ID> + <FIELDLENGTH><![CDATA[1]]></FIELDLENGTH> + <ISKEY><![CDATA[N]]></ISKEY> + <ISPARENT><![CDATA[N]]></ISPARENT> + <ISMANDATORY><![CDATA[N]]></ISMANDATORY> + <ISUPDATEABLE><![CDATA[Y]]></ISUPDATEABLE> + <ISIDENTIFIER><![CDATA[N]]></ISIDENTIFIER> + <SEQNO><![CDATA[331]]></SEQNO> + <ISTRANSLATED><![CDATA[N]]></ISTRANSLATED> + <ISENCRYPTED><![CDATA[N]]></ISENCRYPTED> + <ISSELECTIONCOLUMN><![CDATA[N]]></ISSELECTIONCOLUMN> + <AD_ELEMENT_ID><![CDATA[FE6292D767794D4E92003169C1C60106]]></AD_ELEMENT_ID> + <ISSESSIONATTR><![CDATA[N]]></ISSESSIONATTR> + <ISSECONDARYKEY><![CDATA[N]]></ISSECONDARYKEY> + <ISDESENCRYPTABLE><![CDATA[N]]></ISDESENCRYPTABLE> + <DEVELOPMENTSTATUS><![CDATA[RE]]></DEVELOPMENTSTATUS> + <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID> + <POSITION><![CDATA[51]]></POSITION> + <ISTRANSIENT><![CDATA[N]]></ISTRANSIENT> + <ISAUTOSAVE><![CDATA[Y]]></ISAUTOSAVE> + <VALIDATEONNEW><![CDATA[Y]]></VALIDATEONNEW> + <IMAGESIZEVALUESACTION><![CDATA[N]]></IMAGESIZEVALUESACTION> + <ISUSEDSEQUENCE><![CDATA[N]]></ISUSEDSEQUENCE> + <ALLOWSORTING><![CDATA[Y]]></ALLOWSORTING> + <ALLOWFILTERING><![CDATA[Y]]></ALLOWFILTERING> + <ALLOWED_CROSS_ORG_LINK><![CDATA[N]]></ALLOWED_CROSS_ORG_LINK> + <EM_OBUIAPP_PROCESS_ID><![CDATA[52092F25FF6C40C78AB3103F8DF5BDA6]]></EM_OBUIAPP_PROCESS_ID> +</AD_COLUMN> + <AD_COLUMN>  <AD_COLUMN_ID><![CDATA[C4EBD68726074887B5FFC0D344FA5CC4]]></AD_COLUMN_ID>  <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> @@ -359550,6 +359589,42 @@  <ALLOWED_CROSS_ORG_LINK><![CDATA[N]]></ALLOWED_CROSS_ORG_LINK> </AD_COLUMN> +<AD_COLUMN> + <AD_COLUMN_ID><![CDATA[D133C9CD1039410B9E11B3AAEEFBBCA2]]></AD_COLUMN_ID> + <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> + <AD_ORG_ID><![CDATA[0]]></AD_ORG_ID> + <ISACTIVE><![CDATA[Y]]></ISACTIVE> + <NAME><![CDATA[Auth_Key]]></NAME> + <COLUMNNAME><![CDATA[Auth_Key]]></COLUMNNAME> + <AD_TABLE_ID><![CDATA[112]]></AD_TABLE_ID> + <AD_REFERENCE_ID><![CDATA[10]]></AD_REFERENCE_ID> + <FIELDLENGTH><![CDATA[60]]></FIELDLENGTH> + <ISKEY><![CDATA[N]]></ISKEY> + <ISPARENT><![CDATA[N]]></ISPARENT> + <ISMANDATORY><![CDATA[N]]></ISMANDATORY> + <ISUPDATEABLE><![CDATA[Y]]></ISUPDATEABLE> + <ISIDENTIFIER><![CDATA[N]]></ISIDENTIFIER> + <SEQNO><![CDATA[311]]></SEQNO> + <ISTRANSLATED><![CDATA[N]]></ISTRANSLATED> + <ISENCRYPTED><![CDATA[N]]></ISENCRYPTED> + <ISSELECTIONCOLUMN><![CDATA[N]]></ISSELECTIONCOLUMN> + <AD_ELEMENT_ID><![CDATA[B2A700B9E9414B6CAF8EE12686B25D64]]></AD_ELEMENT_ID> + <ISSESSIONATTR><![CDATA[N]]></ISSESSIONATTR> + <ISSECONDARYKEY><![CDATA[N]]></ISSECONDARYKEY> + <ISDESENCRYPTABLE><![CDATA[N]]></ISDESENCRYPTABLE> + <DEVELOPMENTSTATUS><![CDATA[RE]]></DEVELOPMENTSTATUS> + <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID> + <POSITION><![CDATA[50]]></POSITION> + <ISTRANSIENT><![CDATA[N]]></ISTRANSIENT> + <ISAUTOSAVE><![CDATA[Y]]></ISAUTOSAVE> + <VALIDATEONNEW><![CDATA[Y]]></VALIDATEONNEW> + <IMAGESIZEVALUESACTION><![CDATA[N]]></IMAGESIZEVALUESACTION> + <ISUSEDSEQUENCE><![CDATA[N]]></ISUSEDSEQUENCE> + <ALLOWSORTING><![CDATA[Y]]></ALLOWSORTING> + <ALLOWFILTERING><![CDATA[Y]]></ALLOWFILTERING> + <ALLOWED_CROSS_ORG_LINK><![CDATA[N]]></ALLOWED_CROSS_ORG_LINK> +</AD_COLUMN> + <AD_COLUMN>  <AD_COLUMN_ID><![CDATA[D160BFBF2CD74DAEB9FF7C425874E282]]></AD_COLUMN_ID>  <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> diff --git a/src-db/database/sourcedata/AD_ELEMENT.xml b/src-db/database/sourcedata/AD_ELEMENT.xml --- a/src-db/database/sourcedata/AD_ELEMENT.xml +++ b/src-db/database/sourcedata/AD_ELEMENT.xml @@ -31184,6 +31184,18 @@  <ISGLOSSARY><![CDATA[N]]></ISGLOSSARY> </AD_ELEMENT> +<AD_ELEMENT> + <AD_ELEMENT_ID><![CDATA[B2A700B9E9414B6CAF8EE12686B25D64]]></AD_ELEMENT_ID> + <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> + <AD_ORG_ID><![CDATA[0]]></AD_ORG_ID> + <ISACTIVE><![CDATA[Y]]></ISACTIVE> + <COLUMNNAME><![CDATA[Auth_Key]]></COLUMNNAME> + <NAME><![CDATA[Authentication Key]]></NAME> + <PRINTNAME><![CDATA[Authentication Key]]></PRINTNAME> + <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID> + <ISGLOSSARY><![CDATA[N]]></ISGLOSSARY> +</AD_ELEMENT> + <AD_ELEMENT>  <AD_ELEMENT_ID><![CDATA[B309CE97F1774C62AE6043A57DD9BAF5]]></AD_ELEMENT_ID>  <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> @@ -34654,6 +34666,20 @@  <ISGLOSSARY><![CDATA[N]]></ISGLOSSARY> </AD_ELEMENT> +<AD_ELEMENT> + <AD_ELEMENT_ID><![CDATA[FE6292D767794D4E92003169C1C60106]]></AD_ELEMENT_ID> + <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> + <AD_ORG_ID><![CDATA[0]]></AD_ORG_ID> + <ISACTIVE><![CDATA[Y]]></ISACTIVE> + <COLUMNNAME><![CDATA[Resetauthkey]]></COLUMNNAME> + <NAME><![CDATA[Recreate Mobile Server Authentication Key]]></NAME> + <PRINTNAME><![CDATA[Recreate Mobile Server Authentication Key]]></PRINTNAME> + <DESCRIPTION><![CDATA[Proces to recreate the mobile server authentication key]]></DESCRIPTION> + <HELP><![CDATA[Proces to recreate the mobile server authentication key]]></HELP> + <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID> + <ISGLOSSARY><![CDATA[N]]></ISGLOSSARY> +</AD_ELEMENT> + <AD_ELEMENT>  <AD_ELEMENT_ID><![CDATA[FF16AAFDFE1D4557B2792C6B50B7D25C]]></AD_ELEMENT_ID>  <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> diff --git a/src-db/database/sourcedata/AD_FIELD.xml b/src-db/database/sourcedata/AD_FIELD.xml --- a/src-db/database/sourcedata/AD_FIELD.xml +++ b/src-db/database/sourcedata/AD_FIELD.xml @@ -213192,6 +213192,35 @@  <EM_OBUIAPP_SHOWSUMMARY><![CDATA[N]]></EM_OBUIAPP_SHOWSUMMARY> </AD_FIELD> +<AD_FIELD> + <AD_FIELD_ID><![CDATA[54D5DC71C3EC49878E3A6FCD30735192]]></AD_FIELD_ID> + <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> + <AD_ORG_ID><![CDATA[0]]></AD_ORG_ID> + <ISACTIVE><![CDATA[Y]]></ISACTIVE> + <NAME><![CDATA[Recreate Mobile Server Authentication Key]]></NAME> + <DESCRIPTION><![CDATA[Proces to recreate the mobile server authentication key]]></DESCRIPTION> + <HELP><![CDATA[This process resets the authentication key of the client. This is a sensitive action which should be executed when none of the WebPOS clients is working. After this action all users need to relogin. +]]></HELP> + <ISCENTRALLYMAINTAINED><![CDATA[Y]]></ISCENTRALLYMAINTAINED> + <AD_TAB_ID><![CDATA[145]]></AD_TAB_ID> + <AD_COLUMN_ID><![CDATA[C4E56F2B03F14E478668FAB869D50DED]]></AD_COLUMN_ID> + <IGNOREINWAD><![CDATA[N]]></IGNOREINWAD> + <ISDISPLAYED><![CDATA[Y]]></ISDISPLAYED> + <DISPLAYLENGTH><![CDATA[1]]></DISPLAYLENGTH> + <ISREADONLY><![CDATA[N]]></ISREADONLY> + <SEQNO><![CDATA[430]]></SEQNO> + <ISSAMELINE><![CDATA[N]]></ISSAMELINE> + <ISFIELDONLY><![CDATA[N]]></ISFIELDONLY> + <ISENCRYPTED><![CDATA[N]]></ISENCRYPTED> + <SHOWINRELATION><![CDATA[N]]></SHOWINRELATION> + <ISFIRSTFOCUSEDFIELD><![CDATA[N]]></ISFIRSTFOCUSEDFIELD> + <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID> + <STARTINODDCOLUMN><![CDATA[N]]></STARTINODDCOLUMN> + <STARTNEWLINE><![CDATA[N]]></STARTNEWLINE> + <ISSHOWNINSTATUSBAR><![CDATA[N]]></ISSHOWNINSTATUSBAR> + <EM_OBUIAPP_SHOWSUMMARY><![CDATA[N]]></EM_OBUIAPP_SHOWSUMMARY> +</AD_FIELD> + <AD_FIELD>  <AD_FIELD_ID><![CDATA[54DB32FEEC9B4DED80CB488660F53506]]></AD_FIELD_ID>  <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> diff --git a/src-db/database/sourcedata/OBUIAPP_PROCESS.xml b/src-db/database/sourcedata/OBUIAPP_PROCESS.xml --- a/src-db/database/sourcedata/OBUIAPP_PROCESS.xml +++ b/src-db/database/sourcedata/OBUIAPP_PROCESS.xml @@ -131,6 +131,26 @@  <ISCANADDRECORDSTOSELECTOR><![CDATA[N]]></ISCANADDRECORDSTOSELECTOR> </OBUIAPP_PROCESS> +<OBUIAPP_PROCESS> + <OBUIAPP_PROCESS_ID><![CDATA[52092F25FF6C40C78AB3103F8DF5BDA6]]></OBUIAPP_PROCESS_ID> + <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> + <AD_ORG_ID><![CDATA[0]]></AD_ORG_ID> + <ISACTIVE><![CDATA[Y]]></ISACTIVE> + <VALUE><![CDATA[RecreateMobileServerAuthenticationKey]]></VALUE> + <NAME><![CDATA[Recreate Mobile Server Authentication Key]]></NAME> + <DESCRIPTION><![CDATA[Proces to recreate the mobile server authentication key]]></DESCRIPTION> + <HELP><![CDATA[Proces to recreate the mobile server authentication key]]></HELP> + <ACCESSLEVEL><![CDATA[3]]></ACCESSLEVEL> + <CLASSNAME><![CDATA[OB.RecreateAuthKey.recreate]]></CLASSNAME> + <ISBACKGROUND><![CDATA[N]]></ISBACKGROUND> + <AD_MODULE_ID><![CDATA[0]]></AD_MODULE_ID> + <UIPATTERN><![CDATA[M]]></UIPATTERN> + <ISMULTIRECORD><![CDATA[N]]></ISMULTIRECORD> + <IS_EXPLICIT_ACCESS><![CDATA[Y]]></IS_EXPLICIT_ACCESS> + <ISGRIDLEGACY><![CDATA[N]]></ISGRIDLEGACY> + <ISCANADDRECORDSTOSELECTOR><![CDATA[N]]></ISCANADDRECORDSTOSELECTOR> +</OBUIAPP_PROCESS> + <OBUIAPP_PROCESS>  <OBUIAPP_PROCESS_ID><![CDATA[5D335DD61A264A6FAD881E159ADA9F5A]]></OBUIAPP_PROCESS_ID>  <AD_CLIENT_ID><![CDATA[0]]></AD_CLIENT_ID> diff --git a/src/org/openbravo/RecreateMobileServerAuthKeyHandler.java b/src/org/openbravo/RecreateMobileServerAuthKeyHandler.java new file mode 100644 --- /dev/null +++ b/src/org/openbravo/RecreateMobileServerAuthKeyHandler.java @@ -0,0 +1,79 @@ +/* + ************************************************************************* + * Openbravo DB Synchronization module for Retail + * Copyright (C) 2016 Openbravo SLU + * + * The content of this file is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + ************************************************************************ + */ + +package org.openbravo; + +import java.util.Map; + +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; + +import org.apache.commons.codec.binary.Base64; +import org.codehaus.jettison.json.JSONException; +import org.codehaus.jettison.json.JSONObject; +import org.openbravo.base.secureApp.VariablesSecureApp; +import org.openbravo.client.kernel.BaseActionHandler; +import org.openbravo.client.kernel.RequestContext; +import org.openbravo.dal.service.OBDal; +import org.openbravo.database.ConnectionProvider; +import org.openbravo.erpCommon.utility.OBMessageUtils; +import org.openbravo.erpCommon.utility.Utility; +import org.openbravo.model.ad.system.Client; +import org.openbravo.service.db.DalConnectionProvider; + +public class RecreateMobileServerAuthKeyHandler extends BaseActionHandler { + @Override + protected JSONObject execute(Map<String, Object> parameters, String data) { + ConnectionProvider conn = new DalConnectionProvider(false); + VariablesSecureApp vars = RequestContext.get().getVariablesSecureApp(); + JSONObject response = new JSONObject(); + try { + final JSONObject jsonData = new JSONObject(data); + final Client client = OBDal.getInstance().get(Client.class, + jsonData.getString("selectedRecord")); + // generate and store the key: + final int AES_KEYLENGTH = 128; + KeyGenerator keyGen = KeyGenerator.getInstance("AES"); + keyGen.init(AES_KEYLENGTH); + final SecretKey secretKey = keyGen.generateKey(); + final String strKey = Base64.encodeBase64String(secretKey.getEncoded()); + client.setAuthKey(strKey); + + JSONObject message = new JSONObject(); + + message.put("severity", "success"); + message.put("title", "Success"); + message.put("text", Utility.messageBD(conn, "Success", vars.getLanguage())); + response.put("message", message); + + } catch (Exception e) { + JSONObject errorMessage = new JSONObject(); + try { + errorMessage.put("severity", "error"); + errorMessage.put("title", "Error"); + errorMessage.put("text", OBMessageUtils.translateError(e.getMessage()).getMessage()); + response.put("message", errorMessage); + } catch (JSONException ignore) { + } + + } + return response; + } +} \ No newline at end of file diff --git a/web/js/recreateAuthKey.js b/web/js/recreateAuthKey.js new file mode 100644 --- /dev/null +++ b/web/js/recreateAuthKey.js @@ -0,0 +1,55 @@ +/* + ************************************************************************* + * Openbravo DB Synchronization module for Retail + * Copyright (C) 2016 Openbravo SLU + * + * The content of this file is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + ************************************************************************ + */ + + +OB = OB || {}; + +OB.RecreateAuthKey = { + execute: function (params, view) { + var selection = params.button.contextView.viewGrid.getSelectedRecords(), + callback; + callback = function (rpcResponse, data, rpcRequest) { + if (data.message.severity === 'success') { + view.view.messageBar.setMessage(isc.OBMessageBar.TYPE_SUCCESS, data.message.title, data.message.text); + } else { + view.view.messageBar.setMessage(isc.OBMessageBar.TYPE_ERROR, data.message.title, data.message.text); + } + view.view.refresh(); + }; + OB.RemoteCallManager.call('org.openbravo.RecreateMobileServerAuthKeyHandler', { + action: params.action, + selectedRecord: selection[0].id + }, {}, callback); + }, + + recreate: function (params, view) { + var messageTxt = OB.I18N.getLabel('OBSTSYN_RecreateAuthKey'); + isc.confirm(messageTxt, {}, function (clickedOK) { + if (clickedOK) { + var messageTxt = OB.I18N.getLabel('OBSTSYN_ConfirmRecreateAuthKey'); + isc.confirm(messageTxt, {}, function (clickedOK) { + if (clickedOK) { + OB.RecreateAuthKey.execute(params, view); + } + }); + } + }); + } +}; \ No newline at end of file

Issue History
Date Modified	Username	Field	Change
2016-06-24 13:41	AugustoMauch	New Issue
2016-06-24 13:41	AugustoMauch	Assigned To	=> platform
2016-06-24 13:41	AugustoMauch	Modules	=> Core
2016-06-24 13:41	AugustoMauch	Triggers an Emergency Pack	=> No
2016-06-24 13:43	caristu	Assigned To	platform => caristu
2016-06-24 13:43	caristu	Status	new => acknowledged
2016-06-27 09:25	caristu	Relationship added	related to 0033166
2016-06-27 09:25	caristu	Status	acknowledged => scheduled
2016-06-27 09:25	caristu	Target Version	=> 3.0PR16Q4
2016-06-27 09:48	caristu	File Added: issue33355.diff
2016-06-27 09:51	caristu	File Deleted: issue33355.diff
2016-06-27 09:51	caristu	File Added: issueProcessDefinition.diff
2016-06-27 09:51	caristu	File Added: issue33355.diff
2016-06-27 10:08	Sandrahuguet	Relationship added	related to 0033239
2016-07-18 13:16	hgbot	Checkin
2016-07-18 13:16	hgbot	Note Added: 0088551
2016-07-18 13:16	hgbot	Status	scheduled => resolved
2016-07-18 13:16	hgbot	Resolution	open => fixed
2016-07-18 13:16	hgbot	Fixed in SCM revision	=> http://code.openbravo.com/erp/devel/pi/rev/5a3558090511f4d767ae11c5a3aee2c74708e9f9 [^]
2016-07-18 13:16	caristu	Review Assigned To	=> alostale
2016-07-18 13:16	caristu	Issue Monitored: alostale
2016-07-22 10:41	alostale	Note Added: 0088625
2016-07-22 10:41	alostale	Status	resolved => closed
2016-07-22 10:41	alostale	Fixed in Version	=> 3.0PR16Q4
2016-08-11 18:40	hudsonbot	Checkin
2016-08-11 18:40	hudsonbot	Note Added: 0089018

Notes
(0088551) hgbot (developer) 2016-07-18 13:16	Repository: erp/devel/pi Changeset: 5a3558090511f4d767ae11c5a3aee2c74708e9f9 Author: Carlos Aristu <carlos.aristu <at> openbravo.com> Date: Mon Jul 18 13:15:07 2016 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/5a3558090511f4d767ae11c5a3aee2c74708e9f9 [^] fixes issue 33355: Potential security issue in Process Definitions The problem was that in SecurityChecker the checking for write access was not considering that the object being written could be an instance of Client (This class is the only DAL generated class which does not implement the ClientEnabled interface). --- M src/org/openbravo/dal/security/SecurityChecker.java ---

(0088625) alostale (manager) 2016-07-22 10:41	code reviewed + tested

(0089018) hudsonbot (developer) 2016-08-11 18:40	A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/edaa05b1fb18 [^] Maturity status: Test