From bc9808eb1498d284eddd2e0434dd783b4b49aadf Mon Sep 17 00:00:00 2001
From: Carlos Ruiz <carg67@gmail.com>
Date: Fri, 12 Aug 2022 11:13:54 +0200
Subject: [PATCH] IDEMPIERE-5381 System users cannot revoke MFA trusted devices
 in GardenWorld (FHCA-3824) (#1438)

---
 .../src/org/compiere/process/MFARevokeDevice.java  | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/org.adempiere.base/src/org/compiere/process/MFARevokeDevice.java b/org.adempiere.base/src/org/compiere/process/MFARevokeDevice.java
index 6024681281..6a7e6e1833 100644
--- a/org.adempiere.base/src/org/compiere/process/MFARevokeDevice.java
+++ b/org.adempiere.base/src/org/compiere/process/MFARevokeDevice.java
@@ -32,6 +32,7 @@ import java.util.List;
 import java.util.logging.Level;
 
 import org.compiere.model.MMFARegisteredDevice;
+import org.compiere.model.PO;
 import org.compiere.model.Query;
 import org.compiere.util.Env;
 
@@ -75,20 +76,25 @@ public class MFARevokeDevice extends SvrProcess {
 		String where;
 		List<Object> params = new ArrayList<Object>();
 		params.add(Env.getAD_User_ID(getCtx()));
+		params.add(getAD_Client_ID());
 		if (p_MFARevokeAll) {
-			where = "AD_User_ID=?";
+			where = "AD_User_ID=? AND AD_Client_ID IN (0,?)";
 		} else {
-			where = "AD_User_ID=? AND (MFA_RegisteredDevice_ID=? OR Expiration<=SYSDATE)";
+			where = "AD_User_ID=? AND AD_Client_ID IN (0,?) AND (MFA_RegisteredDevice_ID=? OR Expiration<=SYSDATE)";
 			params.add(p_MFA_RegisteredDevice_ID);
 		}
 		List<MMFARegisteredDevice> rds = new Query(getCtx(), MMFARegisteredDevice.Table_Name, where, get_TrxName())
 				.setOnlyActiveRecords(true)
-				.setClient_ID()
 				.setParameters(params)
 				.list();
 		for (MMFARegisteredDevice rd : rds) {
 			rd.setIsActive(false);
-			rd.saveEx();
+			try {
+				PO.setCrossTenantSafe();
+				rd.saveEx();
+			} finally {
+				PO.clearCrossTenantSafe();
+			}
 		}
 
 		return "@OK@";