openerp-community team mailing list archive

Thread
Date

Re: security Vulnerability or duplication in OpenERP??

To: openerp-community@xxxxxxxxxxxxxxxxxxx
From: Olivier Dony <odo@xxxxxxxxxxx>
Date: Fri, 28 May 2010 02:15:28 +0200
In-reply-to: <AANLkTinDlhU4nXcL1VDsRlc8yOAw4W40UIKMfUipzs_a@mail.gmail.com>
Organization: OpenERP
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9pre) Gecko/20100217 Shredder/3.0.3pre

On 22/05/10 02:18, Masoom Alam wrote:
> Hi Every one,

Hello,

> I am having two problems, please identify, whether I am doing some thing
> wrong, or this thing is not possible in OpenERP:
> 
> *Problem 1*
> 
>    1. Whenever, I give access rights on an object, or set of objects to
>       a particular user, all the menus related to that object are
>       automatically accessible by that user. For example, in the
>       account_voucher, if a list of objects such as account.voucher,
>       account.journal etc, etc.  which are required for a user, are
>       given, all the menus under the voucher Entries are automatically
>       assigned. This is the default behavior. right?

Yes, it is the default behavior.

>    2. Does this mean that there is no need to have
>       "Administration--->Security----->Grant Access to Menus", some how
>       granting access to menus is useless, since objects access is
>       needed and when I give object access, menus access is
>       automatically granted.

Yes, unless you want to specifically restrict access to some menus in
addition to the access rights (as in your question below...)

"Grant Access to Menus" is basically the list of all menus, which
incidentally allows you to restrict some of them to specific groups.

>    3. Is there is some way, that i can grant access to a list of objects
>       to two or three users, but restrict access to menus?

Yes, one group can grant them access to the objects, while putting a
different group restriction on some menus can prevent them from seeing
it, even if they can access the objects.


>    4. Scenario: I want to give access to user1 to Bank Receipt Voucher
>       while to user2, Cash Payment Voucher. Now menus are different, but
>       objects are same.

Many possible solutions, here's an example: give group1 to user1 and
group2 to user2. Grant access to the common object to both groups. Add a
restriction to group1 on the first menu, and a restriction to group2 on
the second menu. Combine as you like.

> *Problem 2*
> 
>    1. in the _columns{}, whenever a one2many() relation is chosen for a
>       field, on search, the fields associated with the "many portion"
>       are automatically shown. Can we restrict this view, i mean certain
>       columns/fields from the "many part" can be hidden from particular
>       users, while certain can be shown for search purpose only?

You seem to be talking about the columns that are visible in the list
view of one2many widgets. The one2many widget uses the default 'tree'
view of the destination object, unless you specify it otherwise.
You can change that for example by defining explicitly the custom tree
view *inside* the one2many field in the view, like this:

<form>
   <field name="name"/>
   ...
   <field name="my_one2many_field_ids">
       <!-- Here you override the default list/tree view for the target
            object -->
       <tree string="Specific list view for one2many">
            <field name="name"/> <!-- name field of target object -->
       </tree>
       <!-- You can do the same for other views, like change the form
            that is used to edit the object -->
       <form string="Specific form view for one2many">
            <field name="name"/> <!-- name field of target object -->
       </tree>
   </field>
</form>

Hope this helps,


-- 
Olivier Dony

References

security Vulnerability or duplication in OpenERP??
From: Masoom Alam, 2010-05-22