Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0007709 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] 01. General setup | major | always | 2009-02-20 10:46 | 2009-04-22 00:00 | |||
| Reporter | roklenardic | View Status | public | |||||
| Assigned To | alostale | |||||||
| Priority | high | Resolution | fixed | Fixed in Version | 2.50 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | f432462f35a0 | ||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Linux 32 bit | Database | PostgreSQL | Java version | 1.6.0_10 | |||
| OS Version | Ubuntu 8.10 | Database version | 8.3.5 | Ant version | 1.7.1 | |||
| Product Version | pi | SCM revision | 13140 | |||||
| Merge Request Status | ||||||||
| Review Assigned To | ||||||||
| OBNetwork customer | No | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Support ticket | ||||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0007709: Alerts Multitenancy security issue | |||||||
| Description | Having several clients inside the database confuses the alerting feature which in turn shows alerts of all clients when logged in as admin of one particular one. | |||||||
| Steps To Reproduce | 1) Enter as Sys Admin and go to General Setup || Application || Alert and activate "Customers with exceeded credit" alert 2) Switch to Openbravo Admin and add Openbravo Admin role to the recipients of the alert above 3) go to General Setup || Process Scheduling || Process Request and enter a new record with Process=Alert Process, Timing=Schedule, Frequency=every n minutes, Interval in minutes=1 4) Save 5) click the Schedule Process button 6) Rename reference/importclient/BigBazaar.xml to reference/importclient/AnotherBazaar.xml 7) Switch to Sys Admin role and go to General Setup || Client || Import Client and enter "AnotherBazaar" and confirm. this will import a new client, AnotherBazaar identical to bigbazaar. 8) Switch to Openbravo Admin of the BigBazaar client and see how two alerts appear, both for the same Neil Reiley business partner being over credit, one from BigBazaar and one from another bazaar. This is a security issue since Openbravo Admin from BigBazaar should not be seeing items from AnotherBazaar's data. | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|
 Relationships |
|
Notes |
|
|
(0013811) roklenardic (viewer) 2009-02-20 10:58 |
Even if one switches to Sys Admin role, the Alert still appears which means there is also a Role security hole. |
|
(0014299) anthony_wolski (viewer) 2009-03-03 13:04 |
I am unable to reproduce this bug. I am working on the pre-integration repository (which is now SmallBazaar) and have followed the steps outlined in steps to reproduce. There are 2 alerts in the database, obviously each with a different referencekey_id, and I can log in as Openbravo Admin for each of the clients (SmallBazaar and AnotherBazaar) and each one only has a single alert. |
|
(0014551) roklenardic (viewer) 2009-03-10 14:32 |
In rok@nautiloos:~/openbravoTrunk$ hg id ac6d3962082a+ tip revision of the devel/main I cannot even see the Alert Management window, I get: 14:22:43 [http-8180-6] ERROR org.openbravo.erpCommon.ad_forms.AlertManagement - Error captured: java.lang.ArrayIndexOutOfBoundsException: 1 On top of that, when trying to copy a client, it doesn't work either, I get Error occurred org.hibernate.exception.GenericJDBCException: Could not execute JDBC batch update So I cannot even check again for this error. |
|
(0014730) alostale (viewer) 2009-03-17 16:42 |
Just two comments on this issue: -The example alerts are not properly managing client/organizations, this is going to be fixed. -It is a known issue that as alerts are executing directly queries on database they can obtain data without any restriction, thus the person in charge of creating alerts must be trusted. This will be faces when moving alerts to dal. |
|
(0014731) hgbot (developer) 2009-03-17 16:44 |
Repository: erp/devel/pi Changeset: f432462f35a0168d397ca536eefb7b84687cc92a Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Tue Mar 17 16:43:29 2009 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/f432462f35a0168d397ca536eefb7b84687cc92a [^] fixed bug 0007709: Alerts Multitenancy security issue --- M src-db/database/sourcedata/AD_ALERTRULE.xml --- |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-02-20 10:46 | roklenardic | New Issue | |
| 2009-02-20 10:46 | roklenardic | Assigned To | => rafaroda |
| 2009-02-20 10:46 | roklenardic | OBNetwork customer | => No |
| 2009-02-20 10:46 | roklenardic | Regression testing | => No |
| 2009-02-20 10:58 | roklenardic | Note Added: 0013811 | |
| 2009-02-24 13:03 | rafaroda | Assigned To | rafaroda => anthony_wolski |
| 2009-02-24 13:03 | rafaroda | Priority | normal => high |
| 2009-02-24 13:03 | rafaroda | Status | new => scheduled |
| 2009-03-03 13:04 | anthony_wolski | Note Added: 0014299 | |
| 2009-03-03 13:04 | anthony_wolski | Status | scheduled => feedback |
| 2009-03-10 14:32 | roklenardic | Note Added: 0014551 | |
| 2009-03-16 11:09 | rafaroda | Assigned To | anthony_wolski => alostale |
| 2009-03-16 11:09 | rafaroda | Status | feedback => scheduled |
| 2009-03-17 16:42 | alostale | Note Added: 0014730 | |
| 2009-03-17 16:44 | hgbot | Checkin | |
| 2009-03-17 16:44 | hgbot | Note Added: 0014731 | |
| 2009-03-17 16:44 | hgbot | Status | scheduled => resolved |
| 2009-03-17 16:44 | hgbot | Resolution | open => fixed |
| 2009-03-17 16:44 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/f432462f35a0168d397ca536eefb7b84687cc92a [^] |
| 2009-04-21 10:33 | psarobe | Status | resolved => closed |
| 2009-04-22 00:00 | anonymous | sf_bug_id | 0 => 2777979 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |