c2c-oerpscenario team mailing list archive
-
c2c-oerpscenario team
-
Mailing list archive
-
Message #23650
Re: [Bug 777850] [NEW] account_followup uses SQL query for getting data, cirmumventing security rules
On Thursday 05 May 2011, you wrote:
> Public bug reported:
>
> this happens in v6 and trunk
>
> Hi.
> Currently account_followup uses SQL queries to get invoice and partners to
> sent followups to. This doesn't take security rules into account, which is
> wrong. And ORM way would do the right thing here.
>
> For example a very bad effect of this is that in a multicompany
> situation any user sees the open invoices of other companies, which
> shouldn't be.
>
Hint: there *is* a way to formulate an osv.expression, add the ir.rules and
parse all that into an SQL where clause, in order to use it in a freehand SQL
query. I've used that in pg84 in several places.
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/777850
Title:
account_followup uses SQL query for getting data, cirmumventing
security rules
Status in OpenERP Modules (addons):
New
Bug description:
this happens in v6 and trunk
Hi.
Currently account_followup uses SQL queries to get invoice and partners to sent followups to. This doesn't take security rules into account, which is wrong. And ORM way would do the right thing here.
For example a very bad effect of this is that in a multicompany
situation any user sees the open invoices of other companies, which
shouldn't be.
The interesting stuff happens here:
http://bazaar.launchpad.net/~openerp/openobject-
addons/trunk/view/head:/account_followup/wizard/account_followup_print.py
Thanks!
References