openerp-community team mailing list archive

Thread
Date

Re: Portal partner rule bug

To: Olivier Dony <odo@xxxxxxxxxxx>
From: Axel Mendoza Pupo <aekroft@xxxxxxxxx>
Date: Thu, 16 Jan 2014 11:37:29 -0500
Cc: openerp-community@xxxxxxxxxxxxxxxxxxx
In-reply-to: <52D7A0A7.3020700@openerp.com>

Thanks a lot for your response, I solve this successfully thanks to you, I
create a domain rule that apply for read as portal does and apply only to
portal group, anonymous group still find their way into portal rule check
I just forgot that the domain rules for groups apply using OR
Thanks again


On Thu, Jan 16, 2014 at 4:04 AM, Olivier Dony <odo@xxxxxxxxxxx> wrote:

> On 01/15/2014 03:56 PM, Axel Mendoza Pupo wrote:
>
>> This bug is related with search on model res.partner when the module
>> portal is
>> installed because of an ir.rule of res.partner in that module security
>> Suppose that there is an extension of res.partner that add one or more
>> many2one
>> fields to res.users, and those users have their own partner, I mean that
>> they
>> are not users of this parent, just relations to express business. If you
>> want
>> to do search over those res.users relation fields that involve the
>> res.partner
>> model, ex:
>> [('partner_id.user_urgency_id', '=', uid)]
>> then this domain or search that use this domain will not work properly
>> due to
>> the ir.rule of portal module that adds checks to the domain that cannot
>> let you
>> find the correct values.
>>
>
> If an "extension" adds extra relationships towards users/partners on the
> regular partner model, this extension should decide whether those related
> records should be made available to portal users.
>
> So it's not a bug, it's a configuration issue. By default the portal
> module will only allow portal users to read their own partner data (i.e.
> the partner that corresponds to their user). This is a security restriction
> to prevent your customers from accessing the list of your other customers,
> suppliers or employees. Otherwise they could do that by following
> relationships on the screens, manipulating URLs or making direct RPC calls.
>
> So if your "extension" wants to make the extra relationship data available
> for portal users, it should simply add new ir.rule entries to permit this.
>
> You should only disable the default portal security rule if you understand
> what you are doing, or if you don't care about security at all.
>

References

Portal partner rule bug
From: Axel Mendoza Pupo, 2014-01-15
Re: Portal partner rule bug
From: Olivier Dony, 2014-01-16