openerp-community team mailing list archive

Thread
Date

Re: Project / Invoicing menu available for HR /Employee group

To: Tadeus Prastowo <tadeus.prastowo@xxxxxxxxxxxxx>
From: Luciano Spiegel <l.spiegel@xxxxxxxxx>
Date: Tue, 3 Jul 2012 18:05:56 +0200
Cc: openerp-community@xxxxxxxxxxx
In-reply-to: <1341288751.2166.4.camel@0x657573>

HI Tadeus,

of course that makes sense, hiding menus doesn't guarantee that the user
won't access the hidden content. If he has the URL (or guess it) he would
access

I'm stuck thinking the best way to implement this.
How you deny read access (any access at all) to Accounts and Analytic
Accounts to users that you want to report hours (create tasks work) in the
system?

cheers

On Tue, Jul 3, 2012 at 6:12 AM, Tadeus Prastowo <
tadeus.prastowo@xxxxxxxxxxxxx> wrote:

> But, IMO, hiding menus are not a good idea because for a determined
> user, he can still craft a HTTP request to read those objects that he
> should not.
>
> The above is pointless if OpenERP will not allow read access to an
> object when the related menu item is not visible.
>
> Just a quick comment, mistakes on my side are to be expected &
> corrected.
>
> Thank you.
>
> --
> Best regards,
> Tadeus Prastowo (Free Software specialist and developer)
>
> i n f i n i t y . s o l u t i o n
> PT. Vikasa Infinity Anugrah (www.infi-nity.com)
> BSD City Sektor 14, Ruko Golden Madrid 2 blok G/9, Tangerang Selatan
> 15321 - INDONESIA
> t: +62 (21) 5316 4796 f: +62 (21) 5316 4797 m:+62 878 08305292
>
> On Mon, 2012-07-02 at 18:00 +0200, Luciano Spiegel wrote:
> > Hi, I want to set up roles and permissions for users who can only
> > create tasks works and edit tasks (kind of freelancers users who
> > report hours worked to us). I have Analytic Account modules installed
> > I added the user to Project Manager / User (slightly customized so the
> > freelancer can access only to his Projects / Tasks assigned) and Human
> > Resources / Employee groups, both needed to create tasks works.
> >
> >
> > The issue is when I assigned the user to the group HR /
> > Employee, automatically that user sees the menu Project / Invoicing /
> > Contracts to Renew and Project / Invoicing / Invoice Tasks Work.
> > Even if those menus are not assigned to the configuration of the group
> > HR Employee nor PM /User.
> >
> >
> > So the "freelancers" has access to the page where all the contracts
> > are (Analytic Accounts) and to Analytic Account Lines (Analytic
> > Journal Items), in those views.
> > I cannot deny read access for both objects because it's needed to
> > create task work.
> >
> >
> > Any idea how can I hide those menus / views for this case?
> >
> >
> > thanks in advance
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openerp-community
> > Post to     : openerp-community@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~openerp-community
> > More help   : https://help.launchpad.net/ListHelp
>
>
>


-- 
*Luciano Spiegel*
iXiam Global Solutions
e: l.spiegel@xxxxxxxxx
m: +34  662 131 618
www.ixiam.com

References

Project / Invoicing menu available for HR /Employee group
From: Luciano Spiegel, 2012-07-02
Re: Project / Invoicing menu available for HR /Employee group
From: Tadeus Prastowo, 2012-07-03