Projects:Disable ERP Access in Store Servers

Introduction

The purpose of this project is to disable the access to the ERP UI in the store servers. The access could be explicitely granted setting a preference. The default value of the preference would not grant access to the ERP in the store servers.

With the default value of the preference:

• It should be possible to log in through the POS login page
• It should NOT be possible to log in through the ERP login page
• The Back Office button should be disabled in the POS
• If once the user has logged in in the POS he enters an ERP URL (for instance this one), it should be redirected to the ERP login page, where the proper error message should be shown

Current Approach

• Make available in core whether the current server is a central server or a store server. Currently this logic is in the MobileServerController class, which is implemented in the mobile core module, thus not reachable from core. To do this three classes will be created:
  • org.openbravo.server.ServerController: it has two public methods isThisACentralServer and isThisAStoreServer. By default it returns true and false respectively, but this behaviour can be overwritten by creating a class that extends AbstractServerControllerImplementation.
  • org.openbravo.server.AbstractServerControllerImplementation: the class to be extended by specific implementations of the server controller. It has two abstract methods isThisACentralServer and isThisAStoreServer, and a getPriority method that will be used to determine what AbstractServerControllerImplementation instance should be used if there are several defined
  • org.openbravo.mobile.core.servercontroller.ServerControllerImplementation: A class that extends AbstractServerControllerImplementation and that uses the MobileServerController to provide information about the current server
• Create the RestrictErpAccessInStoreServer preference in Core. This preference will be used to determine whether the access to the ERP should be restricted (only available to System Admins) in the store servers
• Configure the LoginHandler so that if the current server is a store server and the access is restricted, only allow access to the ERP using the System Admin role (denying access altogether if the System Admin role is not available to the user being logged).
• Configure the POSLoginHandler to give access to the POS even if the access is restricted to the ERP in the store servers.
• Configure UserInfoWidgetActionHandler to give only access to the System Admin role is the access to the ERP is restricted
• Configure index.jsp to deny access to the ERP if the access is restricted and the current role is not System Admin

Test Plan

Prepare the instance by:

• Configuring it as a store server
• Setting the RestrictErpAccessInStoreServer preference to Y

If the server is not configured as a store server or if the RestrictErpAccessInStoreServer preference is not set to Y then this project should not make any difference.

• Test 1:
  • Log in as Openbravo/openbravo using the ERP login page.
    • A pop up should be shown to indicate that the access is restricted only to System Admins, and access should be given to the ERP using the System Admin role.
  • Open the Role combo in the Openbravo Profile widget
    • Only the System Admin role should be available
  • Log out

• Test 2:
  • Log in as vallblanca/openbravo using the ERP login page.
    • A message should be shown indicating that access is denied because the current server is a store server and access is restricted to non System Admin users (vallblanca user does not have access to the System Admin role)

• Test 3:
  • Log in as vallblanca/openbravo using the POS login page.
    • Access should be granted and the POS main page should open
  • Open the upper left menu
    • The Back Office menu item should not be available (to be done)
  • Go to the back office either by clicking on the Back Office menu entry or by entering the main ERP page in the browser
    • The main page should not be loaded, and a message informing the user that the access should be shown