c2c-oerpscenario team mailing list archive

[Thomas Winteler <info@xxxxxxxxxxx>]

Hey Amit

Thanks to create a fix.. i tested it and patched the account_followup
modul on a test instance.. after patching i updated the server "-u
account_followup -d databasename" and the result is:

Doing "Accounting / Periodical Processing / Billing / Send followups",
select the default follow-up (already selected), click on "Continue" and
the list is empty...

Then i switched back to the saved
"account_followup/wizard/account_followup_print.py" and i get back the
list of open invoices.. but for all companies, not only for that one the
current users belongs to...

Already checked: "Accounting / Configuration / Misc / Follow-Ups" that
it belongs to the correct company

Btw. the Default Access Rights to "account_followup.followup" is maybe
wrong.. cause only "Accounting / Accountant" has read access.. and no
manager has other access.. only admin can create a Follow-Up
configuration.

cheers
thomi

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/777850

Title:
  account_followup uses SQL query for getting data, cirmumventing
  security rules

Status in OpenERP Modules (addons):
  Fix Committed

Bug description:
  this happens in v6 and trunk

  Hi. 
  Currently account_followup uses SQL queries to get invoice and partners to sent followups to. This doesn't take security rules into account, which is wrong. And ORM way would do the right thing here. 

  For example a very bad effect of this is that in a multicompany
  situation any user sees the open invoices of other companies, which
  shouldn't be.

  The interesting stuff happens here:
  http://bazaar.launchpad.net/~openerp/openobject-
  addons/trunk/view/head:/account_followup/wizard/account_followup_print.py

  Thanks!