c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 657013] Re: Several security flaws

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "vra \(openerp\)" <657013@xxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Dec 2010 09:27:35 -0000
Reply-to: Bug 657013 <657013@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

We Let the Framework team decide.

Thanks.

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

** Changed in: openobject-server
       Status: New => Triaged

** Changed in: openobject-server
     Assignee: (unassigned) => OpenERP's Framework R&D (openerp-dev-framework)

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/657013

Title:
  Several security flaws

Status in OpenObject Server:
  Triaged

Bug description:
  Any user that must be able to create a document with a workflow such as 'sale.order' must have write/create rights on workflow item and instance models. This means the user will be able to modify the workflow step of any document in the system such as invoices even if he has no rights on invoices. This will desynchronize model's 'state' field with the workflow step leaving a messy system.

'ir.attachment' already has this point solved so the same solution should be applied here for 'instance' and 'workitem' models.

I think similar issues apply to other models that affect the way OpenERP works (haven't deeply checked them):

- In 'ir.rule': one must give read access to 'ir.rule' to all users. Do we really want to let users know what restrictions are being applied to them?
- In 'ir.property': Isn't it possible for any user access any information only because it must be given read access to 'ir.property' model?
- In 'ir.sequence': If a user must have access to a sequence to create 'sale.order', he will have access to other sequences as well. (Right, you can create rules for that but it really is not sensible to ask that to administrator).
- In 'ir.default': Do we want to let users see what other users set as default value for themselves?
- In 'ir.model.access': Do we want to let users see what other users are allowed to see and what not?
- In 'ir.translation': We're letting any user read and probably overwrite information of data they may not be allowed to access.

And basically any model that is given at least read access to all users should be analyzed.