0. [Optional] You can remove all your browser cookies (related to the
server site) to ensure that nothing is read from cookies.
1. Start ADempiere server.
2. Start browser
3. Point your browser to
http://ADEMPIERE_SERVER:PORT/adempiere/WWindow?AD_Window_ID=XX where
XX is the ID of any System-level window (eg. 100 = Table and column,
101=Referenec).
4. You can do _ALL_ CRUD operations without any kind of authorisation.
Env.getContextAsInt() returns 0 for undefined value in context. That's
no problem for Swing gui, because you can't access the application
before logging in. But for WebUI it's just the matter of calling a
servlet in address bar.
In GridWindowVO.create():
int AD_Role_ID = Env.getContextAsInt(vo.ctx, "#AD_Role_ID");
So AD_Role_ID=0 and this allows all system windows and tabs to be
accessed without authentication.
One can't access other roles' windows. That's because -as you may have
guessed- others' ID !=0.
Logged In: YES
user_id=1418900
Originator: YES
The fix has been provided. See http://sourceforge.net/tracker/index.php?func=detail&aid=1745707&group_id=176962&atid=879334
Warm regards,
Bahman
Logged In: YES
user_id=1418900
Originator: YES
Committed into trunk, rev. 2866
Logged In: YES
user_id=1418900
Originator: YES
Hello,
It would be good if someone could commit the files also to tags/320 as I -for some reason- can't do that.
Warm regards,
Bahman
Logged In: YES
user_id=1180760
Originator: NO
Bahman, it must be committed in branches/adempiere321, tags keep fixed.
Regards,
Carlos Ruiz
Logged In: YES
user_id=1418900
Originator: YES
Hi Carlos,
> Bahman, it must be committed in branches/adempiere321, tags keep fixed.
Yes, you're right; my mistake. Thanks!
Warm regards,
Bahman
Logged In: YES
user_id=1599854
Originator: NO
Hi all, this issue aside, the current Env.getContextAsInt returns 0 for undefined value in context is both problematic and dangerous. This is because 0 is use as ID in some table of the system often to represent special build in records ( for e.g, in this particular issue, 0 is the ID for the build in system administrator role ). We have to either change that to return -1 or eliminate the use of 0 as ID.
Regards,
Low
Logged In: YES
user_id=1311402
Originator: NO
Hi Low,
I made this recommendation also, in the team mailing list :)
Best regards,
Teo Sarca
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).