← Back to team overview

openerp-india team mailing list archive

[Bug 944813] Re: can't access some user object once user has changed company

 

Thanks for the answer. I viewed your video which -- I'm afraid --
doesn't illustrate the bug case as I tried to explain.

What you show in your video is that viewing the form view of a task that
is assigned to you will work. (correct me if i'm wrong).

What triggers the bug, is to try to view a task that is assigned to somebody ELSE (let say Bob) which is in the same company as you.
The additional trick, is that Bob must have changed his active company in his profile before you try to view the task.

Here are the steps:
- Making test environnement
    - Create Alice and Bob in the Users
    - Create Microsoft and Apple
    - Alice works at Microsoft, and Bob work at Microsoft AND Apple (he's a lucky guy)
- Test routine:
    - Bob creates a task "Fix that blue screen" while logged in company Microsoft.
    - Bob, then, changes his profile to switch to Apple company.
    - OPTIONAL: For the purpose of the test, he may de-log and let Alice log in.
    - Alice wants to view the Task view form of the task "Fix that blue screen"

Can you repeat it ? Is it clearer ?

As a reminder, also please avoid using "Administrator" as "Alice" role, as ir_rules permissions are not applied to administrator 
because:

_compute_domain(...) will have
  ...
  if uid == SUPERUSER_ID:
            return None
  ...

which bypasses any ir_rule permission checks.

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/944813

Title:
  can't access some user object once user has changed company

Status in OpenERP Server:
  Incomplete

Bug description:
  ISSUE:

  We are using ``project`` module, and have 2 company's registered in
  OpenERP (6.1 final).

  When a user creates a task in a company, then changes their default
  company in their profile settings, other users registered only in the
  first company are unable to access the form view of the task. They
  receive a:

  "Access Error" on operation "read" on document type "Users"

  Although we can check that the task is correctly registered to be in the first company.
  Notice that also, it's on "Users" that the AccessError is triggered and not Tasks...

  MORE INFORMATION:

  After looking deeper, it seems that "ir_rules" are involved in
  checking that current user is authorized to view the "res.users"
  record that describes the creator of the task. Information on the
  project.task creator is needed probably to display it's name.

  The rule (in "ir_rules") concerning "res.users" object is set by
  default to this value (as of lp:openobject-server rev 4072):

  in base/res/res_security.xml:

  ['|',('company_id.child_ids','child_of',[user.company_id.id]),('company_id','child_of',[user.company_id.id])]

  Which will use "company_id" of the target user to check if we can
  access his "res.user" record.

  If using "company_id" attribute makes sense in other objects as
  "project.tasks" to decide if a user can see it, it seems to me that it
  has a different meaning in "res.users" objects: it's the last context
  value of this user. It's some sort of a personnal configuration that
  shouldn't be used to check for granting permissions to other users to
  get access to my res.users record.

  Instead, what seems important is to check "company_ids" (with a final
  's') which list all companies in which this user is registered as a
  member.

  My proposition would be to put something like this:

    [('company_ids', 'child_of', user.company_id.id)]

  Any comments ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/944813/+subscriptions


References