Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0056631 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] C. Security | major | always | 2024-10-03 09:07 | 2025-03-27 15:47 | |||
| Reporter | eduardo_Argal | View Status | public | |||||
| Assigned To | AugustoMauch | |||||||
| Priority | immediate | Resolution | duplicate | Fixed in Version | ||||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | pi | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | pi | SCM revision | ||||||
| Merge Request Status | approved | |||||||
| Review Assigned To | ||||||||
| OBNetwork customer | No | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Support ticket | ||||||||
| Regression level | Production - Confirmed Stable | |||||||
| Regression date | 2023-10-17 | |||||||
| Regression introduced in release | PR24Q1 | |||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0056631: A user with a not Manual role can access, edit and create transactions in any organization | |||||||
| Description | A user with a not Manual role can access, edit and create transactions in any organization even if the organization access is limited to one store. | |||||||
| Steps To Reproduce | 1) Log as Orhi Store User 2) Go to Purchase Order Window 3) Create a new record 4) Mind that the organization combo displays the full list of organization when it should just display the organizations defined in the Org Access tab for his/her role 5) change the configuration for the role to Manual 6) Repeat the steps and mind that now the organizatiuon combo works properly | |||||||
| Proposed Solution | Workaround: it is possible to prevent access to organizations for automatic roles by creating those roles as disable (Active = false) in the Role > Org Access tab. | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
 Relationships |
|
Notes |
|
|
(0172565) hgbot (developer) 2024-11-25 23:27 |
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/1457 [^] |
|
(0176000) hgbot (developer) 2025-02-21 08:37 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo [^] Changeset: 8e8d75cd209ccc558e477a8cf67066e216eda29f Author: Augusto Mauch <amauch@orisha.com> Date: 20-02-2025 22:28:33 URL: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/commit/8e8d75cd209ccc558e477a8cf67066e216eda29f [^] Fixes ISSUE-56631: Automatic role should only get auto write access to 0 Auto roles should get automatic read access to all orgs by default, but only to write access to 0 --- M referencedata/sampledata/F_B_International_Group/AD_ROLE_ORGACCESS.xml M src/org/openbravo/base/secureApp/LoginUtils.java M src/org/openbravo/dal/core/OBContext.java --- |
|
(0176001) hgbot (developer) 2025-02-21 08:37 |
Merge request merged: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/merge_requests/1457 [^] |
|
(0176002) hgbot (developer) 2025-02-21 09:11 |
Merge Request created: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/merge_requests/1549 [^] |
|
(0176003) hgbot (developer) 2025-02-21 09:12 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo [^] Changeset: e5fb01a0a2ae195cb818f478e91b40024ae03f72 Author: Augusto Mauch <amauch@orisha.com> Date: 21-02-2025 09:11:16 URL: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/commit/e5fb01a0a2ae195cb818f478e91b40024ae03f72 [^] Fixes ISSUE-56631: Automatic role should only get auto write access to 0 Auto roles should get automatic read access to all orgs by default, but only to write access to 0 --- M referencedata/sampledata/F_B_International_Group/AD_ROLE_ORGACCESS.xml M src/org/openbravo/base/secureApp/LoginUtils.java M src/org/openbravo/dal/core/OBContext.java --- |
|
(0176004) hgbot (developer) 2025-02-21 09:12 |
Merge request merged: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/merge_requests/1549 [^] |
|
(0176012) hgbot (developer) 2025-02-21 10:20 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo [^] Changeset: 08a0bc887a7c3d76cb31bcef0c65641d3c772876 Author: Augusto Mauch <amauch@orisha.com> Date: 21-02-2025 10:20:10 URL: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/commit/08a0bc887a7c3d76cb31bcef0c65641d3c772876 [^] Revert "Fixes ISSUE-56631: Automatic role should only get auto write access to 0" This reverts commit 8e8d75cd209ccc558e477a8cf67066e216eda29f. --- M referencedata/sampledata/F_B_International_Group/AD_ROLE_ORGACCESS.xml M src/org/openbravo/base/secureApp/LoginUtils.java M src/org/openbravo/dal/core/OBContext.java --- |
|
(0176054) hgbot (developer) 2025-02-23 23:23 |
Merge Request created: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/merge_requests/1551 [^] |
|
(0176055) hgbot (developer) 2025-02-24 00:18 |
Merge Request created: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/pmods/org.openbravo.retail.sampledata/-/merge_requests/146 [^] |
|
(0176061) AugustoMauch (administrator) 2025-02-24 08:44 |
Reopened, because fix was backed out, it broke CI |
|
(0176192) hgbot (developer) 2025-02-27 09:20 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo [^] Changeset: 882ef9c7955de44582c5fa02706b4a260ae50185 Author: Augusto Mauch <amauch@orisha.com> Date: 27-02-2025 09:16:12 URL: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/commit/882ef9c7955de44582c5fa02706b4a260ae50185 [^] Related to ISSUE-56631: Revert "Fixes ISSUE-56631: Automatic role should only get auto write access to 0" This reverts commit e5fb01a0a2ae195cb818f478e91b40024ae03f72. --- M referencedata/sampledata/F_B_International_Group/AD_ROLE_ORGACCESS.xml M src/org/openbravo/base/secureApp/LoginUtils.java M src/org/openbravo/dal/core/OBContext.java --- |
|
(0177657) hgbot (developer) 2025-03-27 15:47 |
Issue exported to Jira: https://openbravo.atlassian.net/browse/RM-24385 [^] |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2024-10-03 09:07 | eduardo_Argal | New Issue | |
| 2024-10-03 09:07 | eduardo_Argal | Assigned To | => alostale |
| 2024-10-03 09:07 | eduardo_Argal | OBNetwork customer | => No |
| 2024-10-03 09:07 | eduardo_Argal | Modules | => Core |
| 2024-10-03 09:07 | eduardo_Argal | Regression level | => Production - Confirmed Stable |
| 2024-10-03 09:07 | eduardo_Argal | Triggers an Emergency Pack | => No |
| 2024-10-15 10:34 | alostale | Assigned To | alostale => Triage Platform Base |
| 2024-10-17 14:38 | AugustoMauch | Proposed Solution updated | |
| 2024-10-17 14:39 | AugustoMauch | Proposed Solution updated | |
| 2024-11-22 11:13 | AugustoMauch | Status | new => scheduled |
| 2024-11-25 23:27 | hgbot | Merge Request Status | => open |
| 2024-11-25 23:27 | hgbot | Note Added: 0172565 | |
| 2024-11-28 10:32 | alostale | Relationship added | caused by 0053408 |
| 2024-11-28 10:33 | alostale | Regression date | => 2023-10-17 |
| 2024-11-28 10:33 | alostale | Regression introduced in release | => PR24Q1 |
| 2024-11-28 10:36 | alostale | Proposed Solution updated | |
| 2025-02-12 11:46 | hgbot | Merge Request Status | open => approved |
| 2025-02-21 08:34 | AugustoMauch | Status | scheduled => closed |
| 2025-02-21 08:35 | AugustoMauch | Status | closed => new |
| 2025-02-21 08:35 | AugustoMauch | Status | new => scheduled |
| 2025-02-21 08:37 | hgbot | Resolution | open => fixed |
| 2025-02-21 08:37 | hgbot | Status | scheduled => closed |
| 2025-02-21 08:37 | hgbot | Fixed in Version | => PR25Q2 |
| 2025-02-21 08:37 | hgbot | Note Added: 0176000 | |
| 2025-02-21 08:37 | hgbot | Note Added: 0176001 | |
| 2025-02-21 09:11 | hgbot | Note Added: 0176002 | |
| 2025-02-21 09:12 | hgbot | Fixed in Version | PR25Q2 => PR24Q4.1 |
| 2025-02-21 09:12 | hgbot | Note Added: 0176003 | |
| 2025-02-21 09:12 | hgbot | Note Added: 0176004 | |
| 2025-02-21 10:20 | hgbot | Fixed in Version | PR24Q4.1 => PR25Q2 |
| 2025-02-21 10:20 | hgbot | Note Added: 0176012 | |
| 2025-02-23 23:23 | hgbot | Note Added: 0176054 | |
| 2025-02-24 00:18 | hgbot | Note Added: 0176055 | |
| 2025-02-24 08:44 | AugustoMauch | Note Added: 0176061 | |
| 2025-02-24 08:44 | AugustoMauch | Status | closed => new |
| 2025-02-24 08:44 | AugustoMauch | Resolution | fixed => open |
| 2025-02-24 08:44 | AugustoMauch | Fixed in Version | PR25Q2 => |
| 2025-02-24 08:44 | AugustoMauch | Status | new => acknowledged |
| 2025-02-27 09:20 | hgbot | Resolution | open => fixed |
| 2025-02-27 09:20 | hgbot | Status | acknowledged => closed |
| 2025-02-27 09:20 | hgbot | Fixed in Version | => PR24Q4.1 |
| 2025-02-27 09:20 | hgbot | Note Added: 0176192 | |
| 2025-03-27 15:46 | AugustoMauch | Assigned To | Triage Platform Base => |
| 2025-03-27 15:46 | AugustoMauch | Fixed in Version | PR24Q4.1 => |
| 2025-03-27 15:47 | AugustoMauch | Assigned To | => AugustoMauch |
| 2025-03-27 15:47 | hgbot | Note Added: 0177657 | |
| 2025-03-27 15:47 | hgbot | Resolution | fixed => duplicate |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |