Cross Tenant issue when broad casting message to System Tenant Role

Description

If System tenant role assigned users of clients in multi client environment, And User try to broad cast to such role from client, System throws cross tenant access issue.

Environment

None

Activity

Deepak Pansheriya
July 30, 2021 at 4:56 AM

Created new PR https://github.com/idempiere/idempiere/pull/806

I also handle Everyone in System tenant by using User’s client, So they can acknowledge without cross tenant issue.

Heng Sin Low
July 23, 2021 at 2:27 AM

Hi , yes, that looks good.

Deepak Pansheriya
July 22, 2021 at 1:45 PM

If I summarize correctly then below will work as per our discussion in this thread.

  1. When target is Client, we should use target client on note

  2. When target is role, we should set target role’s client on note.

  3. When target is user, we should use target user’s client on note.

  4. Also we should restrict user field on broadcast message window to list only users of current tenant.

Carlos Ruiz
July 22, 2021 at 1:42 PM

Ah OK - that must work.

Heng Sin Low
July 22, 2021 at 12:45 PM
(edited)

Hi ,

No, cross tenant safe is not needed for #2. The ad_note for system user should be created using the role’s tenant instead of the system user tenant.

Regards,

Low

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

Created April 22, 2021 at 10:50 AM
Updated October 1, 2021 at 2:46 PM
Resolved July 30, 2021 at 9:18 AM