Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0036725
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] 01. General setupmajoralways2017-08-28 10:132017-09-22 18:28
ReportermaiteView Statuspublic 
Assigned ToAugustoMauch 
PriorityurgentResolutionfixedFixed in Version3.0PR17Q4
StatusclosedFix in branchFixed in SCM revisioncf859d178908
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Tocaristu
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0036725: Should not be possible to create new data when user is not able to edit existent data

DescriptionShould not be possible to create new data when user is not able to edit existent data
Steps To Reproduce0. Create new role named "españa" setting UserLevel=Organization
1. Edit "Org Access" to only leave access to "F&B España - Región Norte" and "F&B España - Región Sur" organizations
2. Edit "User Assigment" to define "Openbravo"
3. Logout and login again using "españa" role
4. Access Business Partner window and realize that you are able to see "F&B España, S.A" records bt not able to edit it (which is OK)
5. Access "Location/Address" tab and realize that you are not able to edit reord (which is OK) but you are able to create new record (which is not OK). Moreover it will be created to organization different from "F&B España, S.A"

Same behavior present in Product window
Proposed SolutionOrganization field was set as readonly in Business Partner, Product... tabs as you were able to create data inconsistency between header's org and tab's org. For that reason, user should not be able to create records in tabs where Organization field is not shown (such as Business Partner, Product...) and in case it has not edit permissions to header's organization
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
duplicate of design defect 0026170 closedAugustoMauch Openbravo ERP Role can add lines in sales order without access to the org of the header 
related to defect 0036661 closedrqueralta Retail Modules Wrong organization set to Business Partner address so order is not synchronized 
related to feature request 0036866 newplatform Openbravo ERP Make explicit in the UI why a toolbar button is disabled 
related to defect 0039784 closedranjith_qualiantech_com Retail Modules OBPOS_HardwareURL may be generated by org *  
causes defect 0036953 closedcaristu Openbravo ERP Can not create records in Organization window sub-tabs 

-  Notes
(0098743)
aferraz (developer)
2017-08-31 10:08

Problem is reproducible in any window.
You are not able to edit records belonging to organizations you don't have access to (which is ok).
You are able to create records belonging to organizations you have access to (which is ok), but being children of records belonging to organizations you don't have access to (which is not ok).
(0098822)
alostale (developer)
2017-09-05 09:09

Setting as feedback as this issue is under internal discussion on how it should be addressed.
(0099069)
hgbot (developer)
2017-09-15 12:31

Repository: erp/devel/pi
Changeset: 0c8047a2daa39f0c4daacccad122b69517a203e0
Author: Augusto Mauch <augusto.mauch <at> openbravo.com>
Date: Fri Sep 15 12:27:06 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/0c8047a2daa39f0c4daacccad122b69517a203e0 [^]

Fixes issue 36725: Check role write access to organization of parent record

If the current role does not have writable access to the record selected in a tab, the user should not be allowed to create records in its subtabs.

Now this is taken into account in order to enable/disable the toolbar buttons that create new records, and also in the logic that creates a link to create new records in a tab if the gr
id is currently empty.

Now it will not be possible to enter records in a subtab if:
- The subtab has an editable organization field
- The user's role does not have writable access to the organization of the record selected in the parent tab.

Now the list of the current role of the user writable organizations is available in OB.User.writableOrganizations.

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/grid/ob-view-grid.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/main/ob-standard-view.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/toolbar/ob-toolbar.js
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/ApplicationDynamicComponent.java
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/templates/application-dynamic-js.ftl
---
(0099093)
hgbot (developer)
2017-09-18 10:23

Repository: erp/devel/pi
Changeset: f9da9c951a5dbec42cd7630692e55b7dd2c50f79
Author: Augusto Mauch <augusto.mauch <at> openbravo.com>
Date: Mon Sep 18 10:20:43 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/f9da9c951a5dbec42cd7630692e55b7dd2c50f79 [^]

Related with issue 36725: Prevents error when opening direct subtab

The following case was not working:
- Open Window, Tabs and Fields
- Select any field, open it in form view
- Click on the "Column" field title. It should open the Tables and Columns window and focus on the Column tab, but it will fail.

This happens because it was not enough to check if this.parentView.viewGrid.getSelectedRecord() was null, it could also be undefined.

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/main/ob-standard-view.js
---
(0099400)
hudsonbot (developer)
2017-09-21 16:50

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/9750b78d3e5c [^]
Maturity status: Test
(0099402)
hudsonbot (developer)
2017-09-21 16:50

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/9750b78d3e5c [^]
Maturity status: Test
(0099464)
caristu (developer)
2017-09-22 10:10
edited on: 2017-09-22 10:13

There is still one way to create records that is not being taken into account, through the right click context menu:

- Right click > Insert row
- Right click > New record in form

https://docs.google.com/spreadsheets/d/18l2biKWeG6iGDIPqO6VuYQ_TtP_6YxyQU4KSrPvQlJ8/edit#gid=0 [^]

(0099474)
hgbot (developer)
2017-09-22 11:04

Repository: erp/devel/pi
Changeset: cf859d178908414a35b159d55df22169cc7afd3d
Author: Augusto Mauch <augusto.mauch <at> openbravo.com>
Date: Fri Sep 22 10:40:47 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/cf859d178908414a35b159d55df22169cc7afd3d [^]

Fixes issue 36725: Records cannot be created using grid's contextual menu

Now if the user cannot add records because its role does not have access to the organization selected in the parent tab, it will not be possible
to add records using the grid's contextual menu.

This needs to be addressed in two different contextuals menus:
- The one shown when right-clicking on a grid record
- The one shown when right-clicking on the grid empty space

Also, simplifies an if condition to check for null/undefined

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/grid/ob-view-grid.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/main/ob-standard-view.js
---
(0099480)
caristu (developer)
2017-09-22 12:34

Code reviewed + tested OK.
(0099501)
hudsonbot (developer)
2017-09-22 18:28

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/b4329e391b82 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2017-08-28 10:13 maite New Issue
2017-08-28 10:13 maite Assigned To => Triage Finance
2017-08-28 10:13 maite Modules => Core
2017-08-28 10:13 maite Triggers an Emergency Pack => No
2017-08-28 10:13 maite Issue Monitored: networkb
2017-08-31 09:40 aferraz Steps to Reproduce Updated View Revisions
2017-08-31 10:00 aferraz Assigned To Triage Finance => platform
2017-08-31 10:08 aferraz Note Added: 0098743
2017-08-31 11:47 alostale Relationship added duplicate of 0026170
2017-09-05 09:09 alostale Note Added: 0098822
2017-09-05 09:09 alostale Status new => feedback
2017-09-11 10:45 maite Relationship added related to 0036661
2017-09-13 16:36 maite Status feedback => new
2017-09-14 10:03 AugustoMauch Assigned To platform => AugustoMauch
2017-09-15 12:30 AugustoMauch Review Assigned To => caristu
2017-09-15 12:31 hgbot Checkin
2017-09-15 12:31 hgbot Note Added: 0099069
2017-09-15 12:31 hgbot Status new => resolved
2017-09-15 12:31 hgbot Resolution open => fixed
2017-09-15 12:31 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/0c8047a2daa39f0c4daacccad122b69517a203e0 [^]
2017-09-15 12:43 AugustoMauch Relationship added related to 0036866
2017-09-18 10:23 hgbot Checkin
2017-09-18 10:23 hgbot Note Added: 0099093
2017-09-21 16:50 hudsonbot Checkin
2017-09-21 16:50 hudsonbot Note Added: 0099400
2017-09-21 16:50 hudsonbot Checkin
2017-09-21 16:50 hudsonbot Note Added: 0099402
2017-09-22 10:10 caristu Note Added: 0099464
2017-09-22 10:12 caristu Note Edited: 0099464 View Revisions
2017-09-22 10:13 caristu Note Edited: 0099464 View Revisions
2017-09-22 10:32 caristu Status resolved => new
2017-09-22 10:32 caristu Resolution fixed => open
2017-09-22 11:04 hgbot Checkin
2017-09-22 11:04 hgbot Note Added: 0099474
2017-09-22 11:04 hgbot Status new => resolved
2017-09-22 11:04 hgbot Resolution open => fixed
2017-09-22 11:04 hgbot Fixed in SCM revision http://code.openbravo.com/erp/devel/pi/rev/0c8047a2daa39f0c4daacccad122b69517a203e0 [^] => http://code.openbravo.com/erp/devel/pi/rev/cf859d178908414a35b159d55df22169cc7afd3d [^]
2017-09-22 12:34 caristu Note Added: 0099480
2017-09-22 12:34 caristu Status resolved => closed
2017-09-22 12:34 caristu Fixed in Version => 3.0PR17Q4
2017-09-22 18:28 hudsonbot Checkin
2017-09-22 18:28 hudsonbot Note Added: 0099501
2017-09-26 13:20 caristu Relationship added causes 0036953
2019-05-27 17:12 mtaal Relationship added related to 0039784


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker