c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 863089] Re: users share field group access incorrect

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <863089@xxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Sep 2011 08:52:33 -0000
Reply-to: Bug 863089 <863089@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi,

To answer your question, the `groups` attribute that you can put on fields will restrict its visibility (in the UI) to only members of the named groups. It's not deprecated, and may be a comma-separated list of groups, in which case it will be visible to users of all the mentioned groups.
This is by no means a security mechanism (hence this is not a security bug), it's only present to customize views, and will not enforce any per-field access restriction. You can use it in the python declaration to make it global, or put it in any view, for local effect.

Now you're right, the correct ID of the group is 'share.group_share_user'. However this is of no consequence here, because the 'share' field is not displayed in users/groups form/list views at all, it's an internal flag to track 'share users'.
And it's simply not included in any form/list view, so that's fine. It should only be in the search view, along with the special 'no_share' filter used to hide 'share_users' by default, and visible by everyone.

The unnecessary and incorrect `groups` attributes should still be
removed, as they're just confusing. This was done in trunk at revision
5239 revid: odo@xxxxxxxxxxx-20110930082749-noyygg1rvpmd9343

Thanks for reporting!

** Changed in: openobject-addons
Importance: Undecided => Low

** Changed in: openobject-addons
Status: New => Fix Released

** Changed in: openobject-addons
Milestone: None => 6.1

** Changed in: openobject-addons
Assignee: (unassigned) => OpenERP's Framework R&D (openerp-dev-framework)

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to OpenERP Project Group.
https://bugs.launchpad.net/bugs/863089

Title:
users share field group access incorrect

Status in OpenERP Addons (modules):
Fix Released

Bug description:
In the module 'share', in the file 'res_users.py' :

In both 'share' field definitions (res.groups and res.users) is the attribute:
groups='share.group_share'

However, this group is not declared anywhere in the 'share' module. I
can see the ID 'group_share_user' in the security file. I think this
should be used in the 'share' fields.

I found this bug in the addons of OpenERP:
branch: http://bazaar.launchpad.net/~openerp/openobject-addons/6.0/
revno: 4821
(i did not search for other branches, revisions or whatever).

I found this bug because I wanted to learn how the 'groups' attribute
on 'fields' works. There is little documentation about this. Might it
be deprecated???

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/863089/+subscriptions