openerp-india team mailing list archive

[Valentin Lab <944813@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

ISSUE:

We are using ``project`` module, and have 2 company's registered in
OpenERP (6.1 final).

When a user creates a task in a company, then changes their default
company in their profile settings, other users registered only in the
first company are unable to access the form view of the task. They
receive a:

"Access Error" on operation "read" on document type "Users"

Although we can check that the task is correctly registered to be in the first company.
Notice that also, it's on "Users" that the AccessError is triggered and not Tasks... 

MORE INFORMATION:

After looking deeper, it seems that "ir_rules" are involved in checking
that current user is authorized to view the "res.users" record that
describes the creator of the task.

The rule (in "ir_rules") concerning "res.users" object is set by default
to this value (as of lp:openobject-server rev 4072):

in base/res/res_security.xml:

['|',('company_id.child_ids','child_of',[user.company_id.id]),('company_id','child_of',[user.company_id.id])]

Which will use "company_id" of the target user (and NOT the current
user), to check if we can access his "res.user" record.

If using "company_id" attribute makes sense in other objects as
"project.tasks" to decide if a user can see it, it seems to me that it
has a different meaning in "res.users" objects: it's the last context
value of this user. What seems important is to check "company_ids" (with
a final 's') which list all companies in which this user is a registered
as a member.

My proposition would be to put something like this:

  [('company_ids', 'child_of', user.company_id.id)]

Any comments ?

** Affects: openobject-server
     Importance: Undecided
         Status: New


** Tags: multicompany permissions res.users

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/944813

Title:
  can't access some user object once user has changed company

Status in OpenERP Server:
  New

Bug description:
  ISSUE:

  We are using ``project`` module, and have 2 company's registered in
  OpenERP (6.1 final).

  When a user creates a task in a company, then changes their default
  company in their profile settings, other users registered only in the
  first company are unable to access the form view of the task. They
  receive a:

  "Access Error" on operation "read" on document type "Users"

  Although we can check that the task is correctly registered to be in the first company.
  Notice that also, it's on "Users" that the AccessError is triggered and not Tasks... 

  MORE INFORMATION:

  After looking deeper, it seems that "ir_rules" are involved in
  checking that current user is authorized to view the "res.users"
  record that describes the creator of the task.

  The rule (in "ir_rules") concerning "res.users" object is set by
  default to this value (as of lp:openobject-server rev 4072):

  in base/res/res_security.xml:

  ['|',('company_id.child_ids','child_of',[user.company_id.id]),('company_id','child_of',[user.company_id.id])]

  Which will use "company_id" of the target user (and NOT the current
  user), to check if we can access his "res.user" record.

  If using "company_id" attribute makes sense in other objects as
  "project.tasks" to decide if a user can see it, it seems to me that it
  has a different meaning in "res.users" objects: it's the last context
  value of this user. What seems important is to check "company_ids"
  (with a final 's') which list all companies in which this user is a
  registered as a member.

  My proposition would be to put something like this:

    [('company_ids', 'child_of', user.company_id.id)]

  Any comments ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/944813/+subscriptions