Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0054207 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] A. Platform | major | have not tried | 2023-12-22 16:17 | 2023-12-27 14:49 | |||
| Reporter | caristu | View Status | public | |||||
| Assigned To | Triage Platform Base | |||||||
| Priority | high | Resolution | fixed | Fixed in Version | PR24Q1 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | ||||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | 2023-10-04 | |||||||
| Regression introduced in release | pi | |||||||
| Regression introduced by commit | https://gitlab.com/openbravo/product/openbravo/-/commit/c4e47a6e93227939e01245ebfc44072f61c86c3c [^] | |||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0054207: Cannot execute JSON WS request with roles without access to the GCSystem entity | |||||||
| Description | There is an special case where executing WS requests to the standard JSON web services fail if the execution is done by a user whose default role has not read access to the GCSystem entity | |||||||
| Steps To Reproduce | 1- Login in Openbravo 2- Switch to use the role "Group - Admin" of The White Valley Group and set it as default role for this user. Note that this user does not have read access to the GCSystem entity 3- Restart Tomcat. This important as this way in the next step we ensure that the first request is done with a role that cannot access to the GCSystem entity 4- Make a GET request to any of the standard WS requests for example: http://localhost:8080/openbravo/org.openbravo.service.json.jsonrest/Country [^] 5- The request fails and the response shows the following error: {"response":{"data":[{"response":{"status":-1,"error":{"message":"OBUIAPP_ActionNotAllowed","type":"user"},"totalRows":0}} The following stack trace is shown in the log: org.openbravo.base.exception.OBSecurityException: Entity OBUIAPP_GC_System is not readable by the user 100 at org.openbravo.dal.security.EntityAccessChecker.checkReadable(EntityAccessChecker.java:639) ~[classes/:?] at org.openbravo.dal.service.OBDal.checkReadAccess(OBDal.java:749) ~[classes/:?] at org.openbravo.dal.service.OBDal.checkReadAccess(OBDal.java:736) ~[classes/:?] at org.openbravo.dal.service.OBDal.createCriteria(OBDal.java:572) ~[classes/:?] at org.openbravo.client.application.window.StandardWindowComponent.getSystemGridConfig(StandardWindowComponent.java:195) ~[classes/:?] at org.openbravo.base.GridConfigurationCache.initializeSystemConfig(GridConfigurationCache.java:74) ~[classes/:?] | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
|
(0158554) hgbot (developer) 2023-12-22 16:28 |
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1086 [^] |
|
(0158652) hgbot (developer) 2023-12-27 14:49 |
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1086 [^] |
|
(0158653) hgbot (developer) 2023-12-27 14:49 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/openbravo [^] Changeset: 6741d497ee60627a66f3d77f95d2fe4c081c8f8a Author: Carlos Aristu <carlos.aristu@openbravo.com> Date: 27-12-2023 12:06:34 URL: https://gitlab.com/openbravo/product/openbravo/-/commit/6741d497ee60627a66f3d77f95d2fe4c081c8f8a [^] fixes BUG-54207: JSON WS request mail fail if the user cannot access to GCSystem When fetching data through a JSON WS request, the grid configuration information is initialized on the first request. If this request is done by a user whose default role has not read access to the grid configuration tables, then the request fails with an OBSecurityException. To fix this problem we now ensure that this information is always read in admin mode. --- M src/org/openbravo/base/GridConfigurationCache.java --- |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2023-12-22 16:17 | caristu | New Issue | |
| 2023-12-22 16:17 | caristu | Assigned To | => Triage Platform Base |
| 2023-12-22 16:17 | caristu | Modules | => Core |
| 2023-12-22 16:17 | caristu | Triggers an Emergency Pack | => No |
| 2023-12-22 16:18 | caristu | Regression date | => 2023-10-04 |
| 2023-12-22 16:18 | caristu | Regression introduced by commit | => https://gitlab.com/openbravo/product/openbravo/-/commit/c4e47a6e93227939e01245ebfc44072f61c86c3c [^] |
| 2023-12-22 16:18 | caristu | Relationship added | caused by 0053358 |
| 2023-12-22 16:19 | caristu | Steps to Reproduce Updated | View Revisions |
| 2023-12-22 16:20 | caristu | Regression introduced in release | => pi |
| 2023-12-22 16:20 | caristu | Steps to Reproduce Updated | View Revisions |
| 2023-12-22 16:28 | hgbot | Note Added: 0158554 | |
| 2023-12-27 14:49 | hgbot | Note Added: 0158652 | |
| 2023-12-27 14:49 | hgbot | Resolution | open => fixed |
| 2023-12-27 14:49 | hgbot | Status | new => closed |
| 2023-12-27 14:49 | hgbot | Fixed in Version | => PR24Q1 |
| 2023-12-27 14:49 | hgbot | Note Added: 0158653 | |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |