openerp-india team mailing list archive

["hbto \[Vauxoo\] http://www.vauxoo.com" <humbertoarocha@xxxxxxxxx>]

Public bug reported:

[account] account_move button_validate method is not taking into account
group privilages,

Create a new user, 
Create a new group with just rights to read account.move object, 
Add that user to the Employee Group,
After That try to validate an Entry Move created by an Inventory Move,

It will be posted, Why??

I think that it is because those account_move has already been numbered,

This is different when you are doing an accoun_move from scratch,

My Though is that the post method on account_move is the responsible of this
Why? 

because of this piece of code:

When doing and account move from scratch account_move does not
have a number, and this new_name variable is read, and account_move
is written,
                if new_name:
                    self.write(cr, uid, [move.id], {'name':newname})

But in the case of account_move created by stock_moves
there is no need to generate new_name, so new_name keeps False value
and the following piece of code is execute, which does not take into account
who is executing the post method allowing any user approving a post with a previously
assigned number

        cr.execute('UPDATE account_move '\
                   'SET state=%s '\
                   'WHERE id IN %s',
                   ('posted', tuple(valid_moves),))

Thanks in advance for your help.

Hbto [Vauxoo]

** Affects: openobject-addons
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/931776

Title:
  [account] account_move button_validate method is not taking into
  account group privilages

Status in OpenERP Addons (modules):
  New

Bug description:
  [account] account_move button_validate method is not taking into
  account group privilages,

  Create a new user, 
  Create a new group with just rights to read account.move object, 
  Add that user to the Employee Group,
  After That try to validate an Entry Move created by an Inventory Move,

  It will be posted, Why??

  I think that it is because those account_move has already been
  numbered,

  This is different when you are doing an accoun_move from scratch,

  My Though is that the post method on account_move is the responsible of this
  Why? 

  because of this piece of code:

  When doing and account move from scratch account_move does not
  have a number, and this new_name variable is read, and account_move
  is written,
                  if new_name:
                      self.write(cr, uid, [move.id], {'name':newname})

  But in the case of account_move created by stock_moves
  there is no need to generate new_name, so new_name keeps False value
  and the following piece of code is execute, which does not take into account
  who is executing the post method allowing any user approving a post with a previously
  assigned number

          cr.execute('UPDATE account_move '\
                     'SET state=%s '\
                     'WHERE id IN %s',
                     ('posted', tuple(valid_moves),))

  Thanks in advance for your help.

  Hbto [Vauxoo]

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/931776/+subscriptions