openerp-community-reviewer team mailing list archive
-
openerp-community-reviewer team
-
Mailing list archive
-
Message #04070
[Merge] lp:~akretion-team/ocb-addons/70-addons-fix-payment-acls-bank into lp:ocb-addons
Alexis de Lattre has proposed merging lp:~akretion-team/ocb-addons/70-addons-fix-payment-acls-bank into lp:ocb-addons.
Requested reviews:
OpenERP Community Backports Team (ocb)
For more details, see:
https://code.launchpad.net/~akretion-team/ocb-addons/70-addons-fix-payment-acls-bank/+merge/208021
This MP aims at fixing the issue that I described long ago in this mail : https://lists.launchpad.net/openerp-community/msg01035.html
In short : regular users are usually in the "Contact Creation" group because they need to create/modify partners. By default in OpenERP, it also grants them create/write permissions on bank accounts. If you use OpenERP to generate SEPA files and make payments, a regular user could modify the bank account of a supplier and put it's own bank account instead and receive the payments for the supplier on its own bank account ! As you can imagine, this is a problem :)
This merge proposal follows a discussion that took place in the banking-addons-drivers mailing-list, cf this thread https://lists.launchpad.net/banking-addons-drivers/msg00050.html
--
https://code.launchpad.net/~akretion-team/ocb-addons/70-addons-fix-payment-acls-bank/+merge/208021
Your team OpenERP Community Backports Team is requested to review the proposed merge of lp:~akretion-team/ocb-addons/70-addons-fix-payment-acls-bank into lp:ocb-addons.
=== modified file 'account/security/account_security.xml'
--- account/security/account_security.xml 2012-10-23 16:05:04 +0000
+++ account/security/account_security.xml 2014-02-24 21:35:22 +0000
@@ -30,6 +30,15 @@
<field name="name">Check Total on supplier invoices</field>
<field name="category_id" ref="base.module_category_hidden"/>
</record>
+
+ <!-- Remove ACLs that give configuration rights on bank accounts to
+ to base.group_partner_manager. In the CSV file, we give those rights
+ to group_account_manager -->
+ <delete model="ir.model.access"
+ id="base.access_res_partner_bank_type_group_partner_manager"/>
+ <delete model="ir.model.access"
+ id="base.access_res_partner_bank_type_field_group_partner_manager"/>
+
</data>
<data noupdate="1">
=== modified file 'account/security/ir.model.access.csv'
--- account/security/ir.model.access.csv 2012-10-23 16:05:04 +0000
+++ account/security/ir.model.access.csv 2014-02-24 21:35:22 +0000
@@ -98,3 +98,5 @@
access_account_treasury_report_manager,account.treasury.report.manager,model_account_treasury_report,account.group_account_manager,1,0,0,0
access_account_financial_report,account.financial.report,model_account_financial_report,account.group_account_user,1,1,1,1
access_account_financial_report_invoice,account.financial.report invoice,model_account_financial_report,account.group_account_invoice,1,0,0,0
+access_res_partner_bank_type_account_manager,Full access on res.partner.bank.type to Financial Manager,base.model_res_partner_bank_type,group_account_manager,1,1,1,1
+access_res_partner_bank_type_field_account_manager,Full access on res.partner.bank.type.field to Financial Manager,base.model_res_partner_bank_type_field,group_account_manager,1,1,1,1
=== modified file 'account_payment/security/account_payment_security.xml'
--- account_payment/security/account_payment_security.xml 2012-10-23 16:05:04 +0000
+++ account_payment/security/account_payment_security.xml 2014-02-24 21:35:22 +0000
@@ -10,6 +10,20 @@
<field name="implied_ids" eval="[(4, ref('group_account_payment'))]"/>
</record>
+ <!-- When the account_payment module is installed, we don't want
+ users that belong to the "Contract Creation" group
+ (base.group_partner_manager) to be able to create/modify bank accounts
+ because they could change bank account information of suppliers
+ and divert wire transfers to suppliers. So we delete the ACLs
+ that give create/write access on res.partner.bank and res.bank to the
+ group base.group_partner_manager and we add ACLs in the CSV file
+ that give those rights to members of account_payment.group_account_payment
+ -->
+ <delete model="ir.model.access"
+ id="base.access_res_bank_group_partner_manager"/>
+ <delete model="ir.model.access"
+ id="base.access_res_partner_bank_group_partner_manager"/>
+
</data>
<data noupdate="1">
=== modified file 'account_payment/security/ir.model.access.csv'
--- account_payment/security/ir.model.access.csv 2011-12-19 16:54:40 +0000
+++ account_payment/security/ir.model.access.csv 2014-02-24 21:35:22 +0000
@@ -6,3 +6,5 @@
access_account_invoice_payment,account.invoice payment,account.model_account_invoice,group_account_payment,1,0,0,0
access_account_move_line_payment,account.move.line payment,account.model_account_move_line,group_account_payment,1,0,0,0
access_payment_order_manager,payment.order manager,model_payment_order,account.group_account_manager,1,0,0,0
+access_res_partner_bank_account_payment,Full access on res.partner.bank to Account Payment,base.model_res_partner_bank,group_account_payment,1,1,1,1
+access_res_bank_account_payment,Full access on res.bank to Account Payment,base.model_res_bank,group_account_payment,1,1,1,1
Follow ups
