c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 598454] Re: ORM: search should return empty list when meeting a NULL many2one in the middle of the evaluation of a chained domain expression.

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <598454@xxxxxxxxxxxxxxxxxx>
Date: Wed, 29 Dec 2010 17:43:55 -0000
Reply-to: Bug 598454 <598454@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The fix has landed in server revision 3178
odo@xxxxxxxxxxx-20101229174223-xjljjvwqoiwgpci1, including a basic
testsuite, courtesy of xrg :-)

** Changed in: openobject-server
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/598454

Title:
  ORM: search should return empty list when meeting a NULL many2one in the middle of the evaluation of a chained domain expression.

Status in OpenObject Server:
  Fix Released

Bug description:
  Search should return empty list when meeting a NULL many2one in the middle of the evaluation of a chained domain expression.

Given the record rule domain:
   [('employee_id.department_id.manager_id.user_id.id', '=', user.id)]
Without the patch, the domain also matches objects whose employee is not in a department, i.e. it explicitly searches for object for which 'employee_id.department_id IS NULL'.
This behavior is a security risk (potential information leakage).

I guess there could be a better way than my patch to handle this.