details: https://code.openbravo.com/erp/devel/pi/rev/f919925114f0 changeset: 26338:f919925114f0 user: Naroa Iriarte <naroa.iriarte <at> openbravo.com> date: Wed Apr 22 16:57:29 2015 +0200 summary: Fixed issue 29064:There are problems with the organization of the notes.
There were two problems: First: When a note was created, it had context organization instead of document organization. To fix this, a new field which stores the note's organization has been created in the "ob-view-form-notes.js". Second: If a note was added with an organization and after that the organization of the note was changed, there were problems to handle it. A new manual datasource has been created for handling the fetch,add and remove operations of the notes, making sure that the organization filter is disabled. So, we grant the fact that if a user of one organization creates a note and after that the organization of the note is changed to another one which the user has not access, the user will be able to see or delete the note. details: https://code.openbravo.com/erp/devel/pi/rev/347fbcf3401f changeset: 26339:347fbcf3401f user: Naroa Iriarte <naroa.iriarte <at> openbravo.com> date: Wed Apr 22 16:58:41 2015 +0200 summary: Related with issue 29064: Added test for the new NoteDataSource A test for making sure that the new manual data source for the notes works properly. It does the fetch, add and remove methods of the NoteDataSource.java. The testFetchNotes test has a user of an American organization which creates a new note, so the note's organization is the same American organization. After that the organization of the note is changed to another one which is a Spanish organization for making sure that the two organization are divergent. After that a fetch is done, now, the user has no access to the new organization of the note, but it have to be possible fetching the note. This is what this test does, a fetch making sure that the filter by the organizations is not done. The class DatasourceTestUtil has been modified for the correct performance of the testRemoveNotes. diffstat: modules/org.openbravo.client.application/src-db/database/sourcedata/OBSERDS_DATASOURCE.xml | 1 + modules/org.openbravo.client.application/src/org/openbravo/client/application/window/FormInitializationComponent.java | 1 + modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-notes.js | 25 +- modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form.js | 2 +- modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DefaultDataSourceService.java | 27 +- modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/NoteDataSource.java | 124 +++++++ modules/org.openbravo.service.json/src/org/openbravo/service/json/DefaultJsonDataService.java | 19 +- src-test/src/org/openbravo/test/AllWebserviceTests.java | 2 + src-test/src/org/openbravo/test/datasource/DatasourceTestUtil.java | 12 +- src-test/src/org/openbravo/test/datasource/TestNoteDatasource.java | 172 ++++++++++ 10 files changed, 359 insertions(+), 26 deletions(-) diffs (truncated from 572 to 300 lines): diff -r 0b8b1170fe70 -r 347fbcf3401f modules/org.openbravo.client.application/src-db/database/sourcedata/OBSERDS_DATASOURCE.xml --- a/modules/org.openbravo.client.application/src-db/database/sourcedata/OBSERDS_DATASOURCE.xml Tue Apr 21 14:18:22 2015 +0200 +++ b/modules/org.openbravo.client.application/src-db/database/sourcedata/OBSERDS_DATASOURCE.xml Wed Apr 22 16:58:41 2015 +0200 @@ -7,6 +7,7 @@ <!--090A37D22E61FE94012E621729090048--> <AD_MODULE_ID><![CDATA[9BA0836A3CD74EE4AB48753A47211BCC]]></AD_MODULE_ID> <!--090A37D22E61FE94012E621729090048--> <NAME><![CDATA[Notes Datasource]]></NAME> <!--090A37D22E61FE94012E621729090048--> <AD_TABLE_ID><![CDATA[090A37D22E61FE94012E620CD15D0030]]></AD_TABLE_ID> +<!--090A37D22E61FE94012E621729090048--> <CLASSNAME><![CDATA[org.openbravo.service.datasource.NoteDataSource]]></CLASSNAME> <!--090A37D22E61FE94012E621729090048--> <OBCLKER_TEMPLATE_ID><![CDATA[2BAD445C2A0343C58E455F9BD379C690]]></OBCLKER_TEMPLATE_ID> <!--090A37D22E61FE94012E621729090048--> <ISACTIVE><![CDATA[Y]]></ISACTIVE> <!--090A37D22E61FE94012E621729090048--> <USEASTABLEDATAORIGIN><![CDATA[N]]></USEASTABLEDATAORIGIN> diff -r 0b8b1170fe70 -r 347fbcf3401f modules/org.openbravo.client.application/src/org/openbravo/client/application/window/FormInitializationComponent.java --- a/modules/org.openbravo.client.application/src/org/openbravo/client/application/window/FormInitializationComponent.java Tue Apr 21 14:18:22 2015 +0200 +++ b/modules/org.openbravo.client.application/src/org/openbravo/client/application/window/FormInitializationComponent.java Wed Apr 22 16:58:41 2015 +0200 @@ -352,6 +352,7 @@ private int computeNoteCount(Tab tab, String rowId) { OBQuery<Note> obq = OBDal.getInstance().createQuery(Note.class, " table.id=:tableId and record=:recordId"); + obq.setFilterOnReadableOrganization(false); obq.setNamedParameter("tableId", (String) DalUtil.getId(tab.getTable())); obq.setNamedParameter("recordId", rowId); return obq.count(); diff -r 0b8b1170fe70 -r 347fbcf3401f modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-notes.js --- a/modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-notes.js Tue Apr 21 14:18:22 2015 +0200 +++ b/modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-notes.js Wed Apr 22 16:58:41 2015 +0200 @@ -11,7 +11,7 @@ * under the License. * The Original Code is Openbravo ERP. * The Initial Developer of the Original Code is Openbravo SLU - * All portions are Copyright (C) 2011-2014 Openbravo SLU + * All portions are Copyright (C) 2011-2015 Openbravo SLU * All Rights Reserved. * Contributor(s): Valery Lezhebokov. ************************************************************************ @@ -86,8 +86,8 @@ return this.noteCanvasItem.canvas; }, - setRecordInfo: function (entity, id) { - this.getNotePart().setRecordInfo(entity, id); + setRecordInfo: function (entity, id, notesForm) { + this.getNotePart().setRecordInfo(entity, id, notesForm); }, refresh: function () { @@ -194,14 +194,22 @@ this.noteDynamicForm.validate(); var noteDS = this.getNoteDataSource(); + var currentTime = new Date(); + var organizationOfTheNote; - var currentTime = new Date(); + //Here we are checking if the entity is 'Organization' because the way of obtaining the + //id of the organization of the form is different depending on the entity + if (this.entity === 'Organization') { + organizationOfTheNote = this.recordId; + } else { + organizationOfTheNote = this.notesForm.values.organization; + } noteDS.addData({ 'client': OB.User.clientId, - 'organization': OB.User.organizationId, - 'table': this.getForm().view.standardProperties.inpTableId, - 'record': this.getForm().view.viewGrid.getSelectedRecord().id, + 'organization': organizationOfTheNote, + 'table': this.notesForm.view.standardProperties.inpTableId, + 'record': this.notesForm.view.viewGrid.getSelectedRecord().id, 'note': note }, addNoteCallback); @@ -439,9 +447,10 @@ /** * Sets record information. */ - setRecordInfo: function (entity, id) { + setRecordInfo: function (entity, id, notesForm) { this.entity = entity; this.recordId = id; + this.notesForm = notesForm; }, refresh: function () { diff -r 0b8b1170fe70 -r 347fbcf3401f modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form.js --- a/modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form.js Tue Apr 21 14:18:22 2015 +0200 +++ b/modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form.js Wed Apr 22 16:58:41 2015 +0200 @@ -300,7 +300,7 @@ return; } if (enable) { - this.noteSection.setRecordInfo(this.view.entity, this.getValue(OB.Constants.ID)); + this.noteSection.setRecordInfo(this.view.entity, this.getValue(OB.Constants.ID), this); this.noteSection.collapseSection(true); delete this.noteSection.hiddenInForm; this.noteSection.refresh(); diff -r 0b8b1170fe70 -r 347fbcf3401f modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DefaultDataSourceService.java --- a/modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DefaultDataSourceService.java Tue Apr 21 14:18:22 2015 +0200 +++ b/modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DefaultDataSourceService.java Wed Apr 22 16:58:41 2015 +0200 @@ -11,7 +11,7 @@ * under the License. * The Original Code is Openbravo ERP. * The Initial Developer of the Original Code is Openbravo SLU - * All portions are Copyright (C) 2010-2014 Openbravo SLU + * All portions are Copyright (C) 2010-2015 Openbravo SLU * All Rights Reserved. * Contributor(s): ______________________________________. ************************************************************************ @@ -66,10 +66,15 @@ * @see org.openbravo.service.datasource.DataSource#fetch(java.util.Map) */ public String fetch(Map<String, String> parameters) { - OBContext.setAdminMode(true); + return fetch(parameters, true); + } + + protected String fetch(Map<String, String> parameters, boolean shouldFilterOnRedeableOrganizations) { + OBContext.setAdminMode(shouldFilterOnRedeableOrganizations); try { addFetchParameters(parameters); - return DefaultJsonDataService.getInstance().fetch(parameters); + return DefaultJsonDataService.getInstance().fetch(parameters, + shouldFilterOnRedeableOrganizations); } finally { OBContext.restorePreviousMode(); } @@ -85,7 +90,7 @@ } } - private void addFetchParameters(Map<String, String> parameters) { + protected void addFetchParameters(Map<String, String> parameters) { if (getEntity() != null) { parameters.put(JsonConstants.ENTITYNAME, getEntity().getName()); @@ -139,7 +144,12 @@ */ @Override public String remove(Map<String, String> parameters) { - OBContext.setAdminMode(true); + return remove(parameters, true); + } + + protected String remove(Map<String, String> parameters, + boolean shouldFilterOnRedeableOrganizations) { + OBContext.setAdminMode(shouldFilterOnRedeableOrganizations); try { parameters.put(JsonConstants.ENTITYNAME, getEntity().getName()); return DefaultJsonDataService.getInstance().remove(parameters); @@ -155,7 +165,12 @@ */ @Override public String add(Map<String, String> parameters, String content) { - OBContext.setAdminMode(true); + return add(parameters, content, true); + } + + protected String add(Map<String, String> parameters, String content, + boolean shouldFilterOnRedeableOrganizations) { + OBContext.setAdminMode(shouldFilterOnRedeableOrganizations); try { parameters.put(JsonConstants.ENTITYNAME, getEntity().getName()); testAccessPermissions(parameters, content); diff -r 0b8b1170fe70 -r 347fbcf3401f modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/NoteDataSource.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/NoteDataSource.java Wed Apr 22 16:58:41 2015 +0200 @@ -0,0 +1,124 @@ +/* + ************************************************************************* + * The contents of this file are subject to the Openbravo Public License + * Version 1.1 (the "License"), being the Mozilla Public License + * Version 1.1 with a permitted attribution clause; you may not use this + * file except in compliance with the License. You may obtain a copy of + * the License at http://www.openbravo.com/legal/license.html + * Software distributed under the License is distributed on an "AS IS" + * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the + * License for the specific language governing rights and limitations + * under the License. + * The Original Code is Openbravo ERP. + * The Initial Developer of the Original Code is Openbravo SLU + * All portions are Copyright (C) 2015 Openbravo SLU + * All Rights Reserved. + * Contributor(s): ______________________________________. + ************************************************************************ + */ + +package org.openbravo.service.datasource; + +import java.util.Map; + +import org.codehaus.jettison.json.JSONArray; +import org.codehaus.jettison.json.JSONException; +import org.codehaus.jettison.json.JSONObject; +import org.openbravo.base.exception.OBException; +import org.openbravo.base.model.Entity; +import org.openbravo.base.model.ModelProvider; +import org.openbravo.base.structure.OrganizationEnabled; +import org.openbravo.client.application.Note; +import org.openbravo.dal.core.OBContext; +import org.openbravo.dal.security.SecurityChecker; +import org.openbravo.dal.service.OBDal; +import org.openbravo.model.ad.datamodel.Table; +import org.openbravo.service.json.JsonUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * A data source for the notes which manages the security. Checks if a user has access to the record + * of the note. + * + * @author NaroaIriarte + * + */ +public class NoteDataSource extends DefaultDataSourceService { + private static final Logger log = LoggerFactory.getLogger(NoteDataSource.class); + + @Override + public String fetch(Map<String, String> parameters) { + String noteFetch = ""; + try { + JSONObject jsonCriteria = JsonUtils.buildCriteria(parameters); + JSONArray notesCriteria; + String tableId; + String recordId; + notesCriteria = jsonCriteria.getJSONArray("criteria"); + tableId = notesCriteria.getJSONObject(0).getString("value"); + recordId = notesCriteria.getJSONObject(1).getString("value"); + readableAccesForUser(tableId, recordId); + noteFetch = super.fetch(parameters, false); + } catch (JSONException ex) { + log.error("Exception while trying to perform a fetch", ex); + throw new OBException(ex); + } + return noteFetch; + } + + @Override + public String add(Map<String, String> parameters, String content) { + String noteAdd = ""; + try { + JSONObject noteData; + String tableId; + String recordId; + + final JSONObject jsonObject = new JSONObject(content); + noteData = jsonObject.getJSONObject("data"); + tableId = noteData.getString("table"); + recordId = noteData.getString("record"); + readableAccesForUser(tableId, recordId); + noteAdd = super.add(parameters, content, false); + } catch (JSONException ex) { + log.error("Exception while trying to add a new note", ex); + throw new OBException(ex); + } + return noteAdd; + } + + @Override + public String remove(Map<String, String> parameters) { + String noteRemove = ""; + OBContext.setAdminMode(false); + try { + String noteId = parameters.get("id"); + Note note = (Note) OBDal.getInstance().get(Note.class, noteId); + Table table = note.getTable(); + String tableId = table.getId(); + String recordId = note.getRecord(); + readableAccesForUser(tableId, recordId); + noteRemove = super.remove(parameters, false); + } catch (Exception ex) { + log.error("Exception while trying to remove a note", ex); + throw new OBException(ex); + } finally { + OBContext.restorePreviousMode(); + } + return noteRemove; + } + + /** + * Checks if the user has readable access to the record where the note is + */ + private void readableAccesForUser(String tableId, String recordId) { + Entity entity = ModelProvider.getInstance().getEntityByTableId(tableId); + if (entity != null) { + Object object = OBDal.getInstance().get(entity.getMappingClass(), recordId); + if (object instanceof OrganizationEnabled) { + SecurityChecker.getInstance().checkReadableAccess((OrganizationEnabled) object); + } + } + } +} \ No newline at end of file diff -r 0b8b1170fe70 -r 347fbcf3401f modules/org.openbravo.service.json/src/org/openbravo/service/json/DefaultJsonDataService.java --- a/modules/org.openbravo.service.json/src/org/openbravo/service/json/DefaultJsonDataService.java Tue Apr 21 14:18:22 2015 +0200 +++ b/modules/org.openbravo.service.json/src/org/openbravo/service/json/DefaultJsonDataService.java Wed Apr 22 16:58:41 2015 +0200 @@ -83,6 +83,10 @@ * @see org.openbravo.service.json.JsonDataService#fetch(java.util.Map) */ public String fetch(Map<String, String> parameters) { + return fetch(parameters, true); ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Openbravo-commits mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openbravo-commits
