Anonymous | Login

Project:

News | My View | View Issues | Roadmap | Summary

View Issue Details[ Jump to Notes ]

[ Issue History ] [ Print ]

ID

0057770

Type

Category

Severity

Reproducibility

Date Submitted

Last Update

backport

[Openbravo ERP] A. Platform

major

have not tried

2025-01-28 08:48

2025-02-03 11:19

Reporter

AugustoMauch

View Status

public

Assigned To

AugustoMauch

Priority

normal

Resolution

fixed

Fixed in Version

PR25Q1

Status

closed

Fix in branch

Fixed in SCM revision

Projection

none

ETA

none

Target Version

PR25Q1

OS

Any

Database

Any

Java version

OS Version

Database version

Ant version

Product Version

SCM revision

Merge Request Status

approved

Review Assigned To

OBNetwork customer

No

Web browser

Modules

Core

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

No

Summary

0057770: Entity is not accesible by role, even when the role configuration should allow it

Description

Depending on how other roles are configured, it is possible that an automatic role, that should by default have access to all entities, will miss access to some.

Steps To Reproduce

- Create a role called ManualTest.
- Set it as manual
- Create an entry in the Window Access subtab. Window: Sales order, Active: false

- Create another role called NonManualTest
- Make sure Manual=false
- Assign it to the usuario de Openbravo
- Logout

- Login as Openbravo
- Change role, use NonManualTest
- Open Sales Order. An error will be displayed when rendering rows for the Lines subtab:

org.openbravo.base.exception.OBSecurityException: Entity OrderLine is not accessible by this role/user: TestRoleNotAdvanced/Openbravo

Tags

No tags attached.

Relationships [ Relation Graph ] [ Dependency Graph ]

blocks

defect

closed

Entity is not accesible by role, even when the role configuration should allow it

Notes
(0174834) hgbot (developer) 2025-01-29 08:56	Merge Request created: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/merge_requests/1516 [^]

(0175044) hgbot (developer) 2025-02-03 11:19	Merge request merged: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/merge_requests/1516 [^]

(0175045) hgbot (developer) 2025-02-03 11:19	Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo [^] Changeset: bccea0f4b357fe1951f62ddce3b69b6f034a7a5d Author: Augusto Mauch <amauch@orisha.com> Date: 29-01-2025 08:55:33 URL: https://gitlab.com/orisha-group/bu-commerce/openbravo/product/openbravo/-/commit/bccea0f4b357fe1951f62ddce3b69b6f034a7a5d [^] Fixes ISSUE-57770: Table access for auto role is not properly checked There was a problem in the query that was used to determine if an auto role was explicitly denied access to a given table, in the getAutomaticTableAccess method. The problem was that the query wanted to check that there are no disabled entries in ADWindowAccess for this role, but the role filter was missing in the subquery. As a consequence, if a table was disabled for other roles, the configuration leaked to other auto roles. Also a change was done to getManualTableAccess to avoid granting access to tables, if the isActive property in the header tab is false. --- M src/org/openbravo/dal/security/EntityAccessChecker.java ---

Issue History
Date Modified	Username	Field	Change
2025-01-28 08:50	AugustoMauch	Type	defect => backport
2025-01-28 08:50	AugustoMauch	Target Version	=> PR25Q1
2025-01-29 08:56	hgbot	Merge Request Status	=> open
2025-01-29 08:56	hgbot	Note Added: 0174834
2025-01-29 10:19	hgbot	Merge Request Status	open => approved
2025-02-03 11:19	hgbot	Note Added: 0175044
2025-02-03 11:19	hgbot	Resolution	open => fixed
2025-02-03 11:19	hgbot	Status	scheduled => closed
2025-02-03 11:19	hgbot	Fixed in Version	=> PR25Q1
2025-02-03 11:19	hgbot	Note Added: 0175045

Copyright © 2000 - 2009 MantisBT Group