c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 652179] Re: Sidebar displays customisation links for all users

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: James Jesudason <james.jesudason@xxxxxxxxxxxxx>
Date: Fri, 22 Oct 2010 13:44:00 -0000
Reply-to: Bug 652179 <652179@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

To me this is a security flaw in the system. A malicious user could
customise a view to display fields that should not be shown or even to
remove existing fields.

-- 
Sidebar displays customisation links for all users
https://bugs.launchpad.net/bugs/652179
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to OpenERP OpenObject.

Status in OpenObject Web Client: New

Bug description:
The web client has some extra options in the sidebar to allow views and objects to be customised e.g. Manage View, Customise Objects. These do not seem to be controlled by security groups, so they are being displayed for all users. These should only be displayed for Administrators.

bzr revno: 3369