fixed bug 29326: multi record attachment download does not check org access
authorAsier Lostalé <asier.lostale@openbravo.com>
Wed, 18 Mar 2015 09:26:06 +0100
changeset 26202 fe1d0d1cf4ba
parent 26201 bb2fdcffc429
child 26203 327af339611e
child 26204 f400d595dc52
fixed bug 29326: multi record attachment download does not check org access

When downloading attachemnts from different records at once, attachment's
record's organization was not checked to be accessible. The problem was it tried
to get a single record with id as concatenation of all ids.

The fix iterates over all the records and check org access for each of them
individually.
src/org/openbravo/erpCommon/businessUtility/TabAttachments.java
--- a/src/org/openbravo/erpCommon/businessUtility/TabAttachments.java	Wed Mar 18 09:10:10 2015 +0100
+++ b/src/org/openbravo/erpCommon/businessUtility/TabAttachments.java	Wed Mar 18 09:26:06 2015 +0100
@@ -276,9 +276,11 @@
       // Checks if the user has readable access to the record where the file is attached
       Entity entity = ModelProvider.getInstance().getEntityByTableId(tableId);
       if (entity != null) {
-        Object object = OBDal.getInstance().get(entity.getMappingClass(), recordIds);
-        if (object instanceof OrganizationEnabled) {
-          SecurityChecker.getInstance().checkReadableAccess((OrganizationEnabled) object);
+        for (String recordId : recordIds.split(",")) {
+          Object object = OBDal.getInstance().get(entity.getMappingClass(), recordId);
+          if (object instanceof OrganizationEnabled) {
+            SecurityChecker.getInstance().checkReadableAccess((OrganizationEnabled) object);
+          }
         }
       }