Hot documentation news

[ERP 2.50] Module demonstrations (videos)

How-to create localization modules

[ERP 2.50] Fundamentals and Concepts

[ERP] Upgrading to 2.50

[ERP] Mercurial manual

[POS] Openbravo POS integration

[ERP 2.50] New user manual

[ERP 2.50] Modularity video tutorials

[ERP 2.50] Build tasks

[ERP 2.50] Environment installation

[ERP 2.50] Installation

ADVERTISEMENT

Toolbox

Help

Google Search

Participate

Partnerships

Openbravo ERP at SourceForge

Openbravo POS at SourceForge

Openbravo at Open Solutions Alliance

QA test plan 2.40/Security Review

1 Introduction
2 Aim of the project
3 Impact in the application
4 Previous data
5 Test cases
6 Results

Introduction

Multi-client and multi-organization operation should be secured. The Enterprise model -work in progress- is required to define security policies in a multi-client and multi-org operation. Multi-client security policy is completely defined (absolutely isolated client operation) while multi-org operation is not so clear

Aim of the project

The priority objective for the Security review project is to allow a secure multi-client operation in a SaaS environment and it has been reached (still some manual windows pending for review). It means that the backend checks in all requests that the user is allowed to see, insert, modify or delete that information. Be aware that there are still a security flaw: referenced data is not validated from a multi-client perspective. A user might hack a request to save an order in his client (this is guaranteed by the system) but referencing to a customer in a different client which is not allowed to him just by editing the customerID in the request. Through this flaw a security attack could be done. This validation is not planned for the 2.40 release (should we consider it?).
As a secondary objective the project aims to review the organization filtering and validation policy to fit multi-organization operation.

Impact in the application

Previous data

Test cases

Data filtering

Access levels

Audit

1. Audit in any wad window.Configured at Session info

'Introduction:Test if exists the audit fields in mode relation an in edit mode as well when the ERP is configured going to Session info window

Steps:
- Login into English with role access as Admin
- Go to General set up->Application->Session preferences
- Verify that exists the new check: Show audit
- Mark the flag
- Go to Sales management->Transactions->Sales Order
- Click New and fill the mandatory fields. Save
- Issues to verify:
  - You must see new four fields in the Audit zone
  - Clicking the search button, those four new fields should be as a filters
  - Changing the view to grid mode, those four new field should be showed
- Go back to General set up->Application->Session preferences
- Unmark the flag show audit
- Go back to Sales management->Transactions->Sales Order
- Click New and fill the mandatory fields. Save
- Issues to verify:
  - You must not see the Audit zone
  - Clicking the search button, nothing related with audit should be showed
  - Changing the view to grid mode, nothing related with audit should be showed

2. Audit in any wad window. Configured as preference

'Introduction:Test if exists the audit fields in mode relation an in edit mode as well when the ERP is configured through preference value

Steps:
- Login into English with role access as Admin
- Go to General set up->Application->Session preferences
- Unmark the flag show audit
- Go to General setup->Preference
- Click new and fill:
  - Window:Sales order
  - Attribute:ShowAudit
  - Value:Y
- Save
- Logout and login
- Go to Sales management->Transactions->Sales Order
- Click New and fill the mandatory fields. Save
- Issues to verify:
  - You must see new four fields in the Audit zone
  - Clicking the search button, those four new fields should be as a filters
  - Changing the view to grid mode, those four new field should be showed
- Go to Sales management->Transaction->Sales Invoice
- Issues to verify:
  - You must not see the Audit zone
  - Clicking the search button, nothing related with audit should be showed
  - Changing the view to grid mode, nothing related with audit should be showed

3. Audit in any wad window. New button in the toolbar

'Introduction:Test if exists the audit fields in mode relation an in edit mode as well when activating/deactivating audit by the toolbar button that is for that

Steps:
- Login into English with role access as Admin
- Go to Sales management->Transactions->Sales Order
- Click New and fill the mandatory fields. Save
- Issues to verify:
  - You must see a new button that allows to show/not show the audit
- Click the button to show the audit and verify:
  - Clicking the search button, those four new fields should be as a filters
  - Changing the view to grid mode, those four new field should be showed
- Click the button to not show the audit and verify:
  - You must not see the Audit zone
  - Clicking the search button, nothing related with audit should be showed
  - Changing the view to grid mode, nothing related with audit should be showed

Results

All the bugs will be reported with the prefix QA-SER

Retrieved from "http://wiki.openbravo.com/wiki/QA_test_plan_2.40/Security_Review"

This page has been accessed 1,375 times. This page was last modified 02:57, 19 May 2009. Content is available under Creative Commons Attribution-ShareAlike 2.5 Spain License.

Category: QA Test plan 2.40 ERP