Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0035263 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] 01. General setup | major | always | 2017-02-14 16:41 | 2017-03-15 20:19 | |||
| Reporter | ngarcia | View Status | public | |||||
| Assigned To | vmromanos | |||||||
| Priority | urgent | Resolution | fixed | Fixed in Version | 3.0PR17Q2 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | a28822293fdd | ||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | markmm82 | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0035263: Role can add a widget to the workspace and see its contents although it does not have access to it | |||||||
| Description | Role can add a widget to the workspace and see its contents although it does not have access to it | |||||||
| Steps To Reproduce | As group admin role: Create a new role Set it as Manual Add F&B España Organization Create a new user Add the previously created role Log out Log in with the previously created role Click on Add Widget option in the workspace Select Best Sellers Insert a number in the Number of Rows field and Save Check you see the records and you should not | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
|
(0094384) vmromanos (manager) 2017-02-16 12:22 |
Note that this issue only affects Best Seller widget, so it's not a generic platform issue |
|
(0094385) vmromanos (manager) 2017-02-16 12:24 edited on: 2017-02-16 13:21 |
Test plan: As group admin role: Create a new role Set it as Manual Add F&B España Organization Create a new user Add the previously created role Log out Log in with the previously created user Click on Add Widget option in the workspace Select Best Sellers Insert a number in the Number of Rows field and Save Verify you only see records that belong to Spanish organizations (easily to identify as they are written in Spanish) |
|
(0094386) jfrances (reporter) 2017-02-16 12:31 |
For the above test plan indicated by vromanos, the new user/role shouldn't have access to the widget if the widget is not in the rol. The user can see information in the widgets without having permisionss to view this information. The user don't have access to the product window neither "best seller" widget, but the can add the widget to its workspace. |
|
(0094397) markmm82 (developer) 2017-02-16 17:25 edited on: 2017-02-16 17:30 |
In the particular case of access to widgets, unlike how the rest of the windows and processes works in OB, There is the "Enable for all Users" flag which, when activated, makes access to this widget public. This configuration has a higher priority than having defined the access or not of the role to a widget. For this reason, if it is desired that not all the roles have access to a widget it will be necessary: -First disable the "Enable for all Users" option for those widgets that will not be publicly accessible. -Go to the Role window, select the role you want to access. Move to the "Widget Class Access" tab and add the widgets to which you want to allow access to the role. This way users from the role only will be able to see public widgets (those with the "Enable for all Users" flag checked) and configured to the role with not public access. From this point of view I think this is not an issue and has a functional solution. |
|
(0094399) jfrances (reporter) 2017-02-16 17:32 |
Thanks markmm82, you're right, I didn't know that functionality. |
|
(0094404) vmromanos (manager) 2017-02-16 18:42 |
You are mixing up things: 1. This flag is to enable the widget to a role regardless this role has not explicit access to the widget in the Widget Access tab. 2. Once the widget is enable for the user, it can only shows records belonging to the organizations where it has access to. In the test plan, it has no sense that the user can see records belonging to US because he has no access to this organization. That's why this is a real issue that should be fixed. 3. Finally the widget can show information about entities that you don't have access to. Actually it doesn't show the full entity, but just "names and numbers". If you try to browse to the window for that entity, the system will block you if your role doesn't have the necessary privileges to the window. |
|
(0094405) hgbot (developer) 2017-02-16 19:13 |
Repository: erp/devel/pi Changeset: a28822293fdd507896a5d172e32dd4712d62277a Author: Victor Martinez Romanos <victor.martinez <at> openbravo.com> Date: Thu Feb 16 12:22:58 2017 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/a28822293fdd507896a5d172e32dd4712d62277a [^] Fixed bug 35263: Organization filter in Best Seller widget The Best Seller widget didn't have organization filter thus showing records belonging to organizations where the role doesn't have access to. The fix introduces a new parameter to get the readable orgs, and the HQL query has been adapated to use it. --- M modules/org.openbravo.client.widgets/src-db/database/sourcedata/OBCQL_WIDGET_QUERY.xml M modules/org.openbravo.client.widgets/src-db/database/sourcedata/OBUIAPP_PARAMETER.xml --- |
|
(0094406) markmm82 (developer) 2017-02-16 19:15 |
Code review + Testing OK |
|
(0095190) hudsonbot (developer) 2017-03-15 20:19 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/54e102bef53e [^] Maturity status: Test |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2017-02-14 16:41 | ngarcia | New Issue | |
| 2017-02-14 16:41 | ngarcia | Assigned To | => Triage Finance |
| 2017-02-14 16:41 | ngarcia | Modules | => Core |
| 2017-02-14 16:41 | ngarcia | Resolution time | => 1489705200 |
| 2017-02-14 16:41 | ngarcia | Triggers an Emergency Pack | => No |
| 2017-02-14 16:42 | ngarcia | Issue Monitored: networkb | |
| 2017-02-14 16:48 | jfrances | Issue Monitored: jfrances | |
| 2017-02-14 22:39 | markmm82 | Assigned To | Triage Finance => collazoandy4 |
| 2017-02-16 11:25 | vmromanos | Status | new => scheduled |
| 2017-02-16 11:25 | vmromanos | Assigned To | collazoandy4 => vmromanos |
| 2017-02-16 12:22 | vmromanos | Note Added: 0094384 | |
| 2017-02-16 12:24 | vmromanos | Note Added: 0094385 | |
| 2017-02-16 12:31 | jfrances | Note Added: 0094386 | |
| 2017-02-16 13:21 | vmromanos | Note Edited: 0094385 | View Revisions |
| 2017-02-16 17:25 | markmm82 | Note Added: 0094397 | |
| 2017-02-16 17:30 | markmm82 | Note Edited: 0094397 | View Revisions |
| 2017-02-16 17:32 | jfrances | Note Added: 0094399 | |
| 2017-02-16 18:42 | vmromanos | Note Added: 0094404 | |
| 2017-02-16 19:13 | hgbot | Checkin | |
| 2017-02-16 19:13 | hgbot | Note Added: 0094405 | |
| 2017-02-16 19:13 | hgbot | Status | scheduled => resolved |
| 2017-02-16 19:13 | hgbot | Resolution | open => fixed |
| 2017-02-16 19:13 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/a28822293fdd507896a5d172e32dd4712d62277a [^] |
| 2017-02-16 19:15 | markmm82 | Review Assigned To | => markmm82 |
| 2017-02-16 19:15 | markmm82 | Note Added: 0094406 | |
| 2017-02-16 19:15 | markmm82 | Status | resolved => closed |
| 2017-02-16 19:15 | markmm82 | Fixed in Version | => 3.0PR17Q2 |
| 2017-02-23 18:34 | ngarcia | Relationship added | related to 0035352 |
| 2017-03-15 20:19 | hudsonbot | Checkin | |
| 2017-03-15 20:19 | hudsonbot | Note Added: 0095190 | |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |