Anonymous | Login
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
TypeCategorySeverityReproducibilityDate SubmittedLast Update
feature request[Openbravo ERP] C. Securityminoralways2009-02-05 06:422009-05-22 19:36
ReporterpjuvaraView Statuspublic 
Assigned Toiciordia 
PrioritynormalResolutionopenFixed in Version
StatusacknowledgedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product Version2.40SCM revision 
Review Assigned To
Web browser
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo

0007374: Secure records so that only user who created them can view them

DescriptionYou should be able to declare in AD that in a particular window only the user who created the records is able to see them.

This behavior is for instance needed in the requistion flow where only the employee who created a requisition and the purchasing agent should be able to see them.
We have resolved this requirement in 2.40 with a workaround: we duplicated the window and added a custom where clause to enforce security.
This implementation however is not fully correct has it creates redundant code and it is confusing. See issues 7311 and 4716 for more details.

Another example of this need is in the Employee Appraisal module about to be published on top of 2.50. In that case, only the manager who created the appraisal, her management chain and the HR manager are able to see records. In that case, there is an additional twist as the manager is able to share the appraisal with the employee, so depending on the record status other users are also able to see the record.
Proposed SolutionIn order to avoid duplications, we should allow to specify a custom filter in the role - window association.
This custom filter is applied in addition to the standard organization based security.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to feature request 0007311 closedpjuvara M_requisition Window doesn't follow security model 
related to feature request 0004716 closedpjuvara Requisition and Manage Requisitions form are almost identical 

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2009-02-05 06:42 pjuvara New Issue
2009-02-05 06:42 pjuvara Assigned To => pjuvara
2009-02-05 06:42 pjuvara sf_bug_id 0 => 2566916
2009-02-05 06:42 pjuvara Regression testing => No
2009-02-05 06:43 pjuvara Relationship added related to 0007311
2009-02-05 06:43 pjuvara Relationship added related to 0004716
2009-02-05 06:43 pjuvara Status new => acknowledged
2009-02-05 06:43 pjuvara Tag Attached: ReleaseCandidate
2009-05-22 19:36 pjuvara Assigned To pjuvara => iciordia

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker