Thread Previous • Date Previous • Date Next • Thread Next |
On 01/15/2014 03:56 PM, Axel Mendoza Pupo wrote:
This bug is related with search on model res.partner when the module portal is installed because of an ir.rule of res.partner in that module security Suppose that there is an extension of res.partner that add one or more many2one fields to res.users, and those users have their own partner, I mean that they are not users of this parent, just relations to express business. If you want to do search over those res.users relation fields that involve the res.partner model, ex: [('partner_id.user_urgency_id', '=', uid)] then this domain or search that use this domain will not work properly due to the ir.rule of portal module that adds checks to the domain that cannot let you find the correct values.
If an "extension" adds extra relationships towards users/partners on the regular partner model, this extension should decide whether those related records should be made available to portal users.
So it's not a bug, it's a configuration issue. By default the portal module will only allow portal users to read their own partner data (i.e. the partner that corresponds to their user). This is a security restriction to prevent your customers from accessing the list of your other customers, suppliers or employees. Otherwise they could do that by following relationships on the screens, manipulating URLs or making direct RPC calls.
So if your "extension" wants to make the extra relationship data available for portal users, it should simply add new ir.rule entries to permit this.
You should only disable the default portal security rule if you understand what you are doing, or if you don't care about security at all.
Thread Previous • Date Previous • Date Next • Thread Next |