Issue 52527 - Opening an embedded form with contained macros yields security question
Summary: Opening an embedded form with contained macros yields security question
Status: CLOSED FIXED
Alias: None
Product: Base
Classification: Application
Component: code (show other issues)
Version: 680m118
Hardware: All All
: P3 Trivial (vote)
Target Milestone: OOo 2.4
Assignee: marc.neumann
QA Contact: issues@dba
URL:
Keywords:
: 61852 (view as issue list)
Depends on: 82110
Blocks:
  Show dependency tree
 
Reported: 2005-07-27 07:58 UTC by drewjensen.inbox
Modified: 2008-01-16 16:50 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments
error when procedure run from basic ide - sec. low (41.36 KB, application/vnd.sun.xml.base)
2008-01-15 21:14 UTC, drewjensen.inbox
no flags Details
error when dragging form to folder - sec hight (17.51 KB, image/png)
2008-01-15 21:15 UTC, drewjensen.inbox
no flags Details
drag form out of folder - sec medium (11.57 KB, image/png)
2008-01-15 21:17 UTC, drewjensen.inbox
no flags Details

Note You need to log in before you can comment on or make changes to this issue.
Description drewjensen.inbox 2005-07-27 07:58:14 UTC
Here is the a scenario, that shows the problem.

Go into Options -> Security ->Macro Security-> set level to Very High
Trusted Sources and enter <somepath> as a trusted location.

Store a OOoBase Database file in <somepath>, create a form and add a
macro to the form. You can not execute the macro code within this form,
because the security manager does not recognize the form as coming from
within the trusted path.

If instead of Very High you set the security level to Medium the user would be
prompted whether to enable or disable macros every time the form is opened from
the GUI.
Comment 1 nagashree 2005-07-27 08:46:53 UTC
Confirming the issue
Comment 2 marc.neumann 2005-08-04 13:28:30 UTC
confirm , set target and reassign to the developer
Comment 3 marc.neumann 2006-02-10 08:11:05 UTC
*** Issue 61852 has been marked as a duplicate of this issue. ***
Comment 4 drewjensen.inbox 2006-06-09 05:43:46 UTC
I believe this issue should be marked as a duplicate of 49441.
Comment 5 Frank Schönheit 2006-06-09 07:56:29 UTC
Yes, I think so. The root cause for both issues is the same - the framework
handles the forms as if they were separate documents -, so fixing one will fix
the other.

*** This issue has been marked as a duplicate of 49441 ***
Comment 6 Frank Schönheit 2006-06-09 07:57:23 UTC
closing duplicate
Comment 7 Frank Schönheit 2007-09-27 06:31:28 UTC
re-opening. Issue 49441 is about the security question when a form is previewed,
this issue is about the security question when the form is opened.
The fix for issue 49441 really touched the first only, this problem here is
still to be fixed.
Comment 8 Frank Schönheit 2007-09-27 06:32:46 UTC
Unfortunately, fixing this problem here is not as easy as issue 49441. If the
security options say to ask the user at opening time, then we need to examine
all forms/reports embedded in the .odb when we open the .odb - which could be
quite expensive. Let's see.
Comment 9 drewjensen.inbox 2007-10-13 19:28:21 UTC
Using OOo-Dev 2.3 m233

Set Macro Security to HIGH

Set secured path to <windows users root>/My Documents

Created database in <windows users root>/My Documents with an embedded form,
assigned basic macro, from library, to Document Open event.

Macro runs without notification when window opens.

Closed and copied database file to c:/tmp

Closed OpenOffice.org completely

Opened test databse. Opened embedded form MACRO runs without notification!!!

See ISSUE #76129
Comment 10 drewjensen.inbox 2007-10-13 20:02:51 UTC
Re- ran test.

No change from previous releases. Embedded macros are never seen as coming from
a trusted path.
Comment 11 Frank Schönheit 2007-10-22 22:02:01 UTC
fixed in CWS dba24c

find more information about this CWS, like when it is available in the master
builds, in EIS, the Environment Information System:
http://eis.services.openoffice.org/EIS2/cws.ShowCWS?Path=SRC680%2Fdba24c
Comment 12 Frank Schönheit 2007-11-05 06:45:06 UTC
fs-> msc: please verify in CWS dba24c
Comment 13 Frank Schönheit 2007-11-07 08:45:32 UTC
targeting to 2.4, since the fix is part of a CWS aiming for this release
Comment 14 marc.neumann 2007-11-12 14:00:20 UTC
verified in CWS dba24c

find more information about this CWS, like when it is available in the master
builds, in EIS, the Environment Information System:
http://eis.services.openoffice.org/EIS2/cws.ShowCWS?Path=SRC680%2Fdba24c
Comment 15 drewjensen.inbox 2008-01-15 21:12:55 UTC
Tested with ooo-dev 2.4 680M_242 on XP.
Welll.......

I took an existing ODB file and added a form, added one basic procedure.
With any security setting the form opens without any interaction with the user. 
In no security setting will the macro actually execute - setting trusted
locations makes no difference. There is no error message, the routine simply
does not run.

The application will display warning dialogs in three circumstances:

Attached are three screen shot when you open the macro in the Basic IDE and try
to run it - this particular shot was with macro security set to low.

The next case I set macro security to High. Then created a folder under forms
and dragged the new form into the folder. This displays the warning box in
attahcment 2.

Finally - with macro security set to medium - I dragged the form out of the
folder and back to the top level in the odb file. This displays the dialog in
attachment 3 [details].

Comment 16 drewjensen.inbox 2008-01-15 21:14:19 UTC
Created attachment 50888 [details]
error when procedure run from basic ide - sec. low
Comment 17 drewjensen.inbox 2008-01-15 21:15:55 UTC
Created attachment 50889 [details]
error when dragging form to folder - sec hight
Comment 18 drewjensen.inbox 2008-01-15 21:17:07 UTC
Created attachment 50890 [details]
drag form out of folder - sec medium
Comment 19 Frank Schönheit 2008-01-15 21:49:43 UTC
Preface: CWS dba24e contains the fix for issue 84334 "macro warning when open a
database with a folder in the form section". Folders were ... not on the list
when implementing this originally :-\

What was obviously also not on the list was Drag'n'Drop: I can reproduce, even
in CWS dba24e, the problem that DnD of a form with macros still yields the
security question. Care to submit another issue (you know, the one-per-issue rule)?

I cannot reproduce the problem that newly added macros are not executed, neither
in dba24e nor in m242. A step-by-step description might be helpful here.
Comment 20 drewjensen.inbox 2008-01-16 16:49:15 UTC
Single issue is fixed 
Comment 21 drewjensen.inbox 2008-01-16 16:50:30 UTC
closing for single issue