openerp-india team mailing list archive

[sylaris <940169@xxxxxxxxxxxxxxxxxx>]

Sorry, I did not notice at first that not all databases have the same fields, so my statement about "the first application" is not clear. I made a few screenshots to be clearer (see attached file). Sorry, some fields are in french...
The first image shows that at the beginning, the user has normal rights, as given by the administrator. The second image shows the administrator giving "crm" right for the field "Customer Relation Management". Notice that, before saving, nothing happens for the other rights. The third and last image shows what happens after saving this only modification: the user suddenly has maximal rights for every application and has administration rights.
It seemed to me like a security issue, since a user can be given important rights by mistake and thus make modifications to the databases he should not be allowed to.

** Attachment added: "Explanation screenshots"
   https://bugs.launchpad.net/openobject-server/+bug/940169/+attachment/2790437/+files/bug940169-explanationscreenshot.png

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/940169

Title:
  All access rights given to "crm" users

Status in OpenERP Server:
  Incomplete

Bug description:
  Using OpenERP 6.1, the following bug occurs when modifying the access rights of a user (at creation of the user or at any other time): if the "crm" right is given for the first application, then all other access rights are pushed to their maximum: the user becomes a manager for every application, gets administration rights, and so on.
  This modification does not occur before saving the modifications: if one selects the "crm" right then removes it before saving, everything goes on as it should.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/940169/+subscriptions