c2c-oerpscenario team mailing list archive
-
c2c-oerpscenario team
-
Mailing list archive
-
Message #25125
[Bug 777850] Re: account_followup uses SQL query for getting data, cirmumventing security rules
Hey Amit
I really have tested with different instances, new one.. existing one..
Now i can reproduce the error on a fresh installed one, with two companies.
First i created the company configuration, then per user/company i created invoices to test.
Following error is listed in server-log if i use two different users and each user belongs to another company (multicompany) and i open "Accounting / Periodical Processing / Billing / Send followup":
[2011-05-25 23:35:06,038][demo_followup] DEBUG:web-services:AccessError
Traceback (most recent call last):
File "/home/thomi/Daten/openerp-dev/development/server/bin/osv/osv.py", line 122, in wrapper
return f(self, dbname, *args, **kwargs)
File "/home/thomi/Daten/openerp-dev/development/server/bin/osv/osv.py", line 176, in execute
res = self.execute_cr(cr, uid, obj, method, *args, **kw)
File "/home/thomi/Daten/openerp-dev/development/server/bin/osv/osv.py", line 167, in execute_cr
return getattr(object, method)(cr, uid, *args, **kw)
File "/home/thomi/Daten/openerp-dev/development/server/bin/osv/orm.py", line 2941, in read
result = self._read_flat(cr, user, select, fields, context, load)
File "/home/thomi/Daten/openerp-dev/development/server/bin/osv/orm.py", line 2998, in _read_flat
% (self._description,))
except_orm: (u'AccessError', u'Operation prohibited by access rules, or performed on an already deleted document (Operation: read, Document type: Followup Statistics by Partner).')
[2011-05-25 23:35:06,039][demo_followup] DEBUG:web-services:netrpc: rpc-dispatching exception
Traceback (most recent call last):
File "/home/thomi/Daten/openerp-dev/development/server/bin/service/netrpc_server.py", line 70, in run
result = self.dispatch(msg[0], msg[1], msg[2:])
File "/home/thomi/Daten/openerp-dev/development/server/bin/netsvc.py", line 499, in dispatch
raise OpenERPDispatcherException(e, tb_s)
OpenERPDispatcherException
You see above, i have created a complete new openerp instance on my own
machine. with latest stable-6.0...
I created a little video, to demonstrate what happens in foreground:
http://db.tt/JyblThI
account_followup object permissions:
account_followup.followup http://i.imgur.com/WNTzF.png
account_followup.followup.line http://i.imgur.com/x07FO.png
account_followup.followup.print http://i.imgur.com/AHFk6.png
account_followup.followup.print.all http://i.imgur.com/TaOQb.png
account_followup.followup.stat http://i.imgur.com/Lrsk4.png
account_followup.followup.stat.by.partner http://i.imgur.com/Apslu.png
Please check that soon.. we really need that stuff... OPW 5606 !!!
thanks
thomi
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/777850
Title:
account_followup uses SQL query for getting data, cirmumventing
security rules
Status in OpenERP Modules (addons):
Fix Released
Bug description:
this happens in v6 and trunk
Hi.
Currently account_followup uses SQL queries to get invoice and partners to sent followups to. This doesn't take security rules into account, which is wrong. And ORM way would do the right thing here.
For example a very bad effect of this is that in a multicompany
situation any user sees the open invoices of other companies, which
shouldn't be.
The interesting stuff happens here:
http://bazaar.launchpad.net/~openerp/openobject-
addons/trunk/view/head:/account_followup/wizard/account_followup_print.py
Thanks!
References
