← Back to team overview

openerp-community team mailing list archive

Re: Portal partner rule bug

 

On 01/15/2014 03:56 PM, Axel Mendoza Pupo wrote:
This bug is related with search on model res.partner when the module portal is
installed because of an ir.rule of res.partner in that module security
Suppose that there is an extension of res.partner that add one or more many2one
fields to res.users, and those users have their own partner, I mean that they
are not users of this parent, just relations to express business. If you want
to do search over those res.users relation fields that involve the res.partner
model, ex:
[('partner_id.user_urgency_id', '=', uid)]
then this domain or search that use this domain will not work properly due to
the ir.rule of portal module that adds checks to the domain that cannot let you
find the correct values.

If an "extension" adds extra relationships towards users/partners on the regular partner model, this extension should decide whether those related records should be made available to portal users.

So it's not a bug, it's a configuration issue. By default the portal module will only allow portal users to read their own partner data (i.e. the partner that corresponds to their user). This is a security restriction to prevent your customers from accessing the list of your other customers, suppliers or employees. Otherwise they could do that by following relationships on the screens, manipulating URLs or making direct RPC calls.

So if your "extension" wants to make the extra relationship data available for portal users, it should simply add new ir.rule entries to permit this.

You should only disable the default portal security rule if you understand what you are doing, or if you don't care about security at all.


Follow ups

References