openerp-india team mailing list archive

["Olivier Dony \(OpenERP\)" <969198@xxxxxxxxxxxxxxxxxx>]

** Visibility changed to: Public

** This bug is no longer flagged as a security vulnerability

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/969198

Title:
  Any Employee has full CRUD of every other Employee's Attachments

Status in OpenERP Addons (modules):
  New

Bug description:
  We are migrating a customer from 6.0 to 6.1. I raised this issue under
  their OpenERP Enterprise contract [573293] but the support team have
  asked me to report the bug here.

  In the hr.employee module *any* other employee on the system can
  create, read or DELETE attachments on any other employee's main page.
  This occurs in both Web and GTK Clients.

  In my opinion an Employee should be able to read *any* attachment on
  their own employee record only. They should be able to remove (delete)
  only those attachments which they themselves added.

  The HR Manager (& possibly HR User) should be able to add, read and
  remove attachments from any employees.

  Unfortunately, I do not believe this configuration is possible
  currently as the domain rules do not appear to have scope beyond a
  single object and the employee_id doesn't match their user_id. I think
  to achieve this you need to be able to read the res_id of the
  ir.attachment object then, if the res_model is hr.employee, get the
  user_id of the appropriate hr.employee record to match against.

  I was trying to create an Access Rule like this:

  [('user_id','=',user.id),('res_model','=','hr.employee'),('hr.employee[res_id].user_id','=',user.id)]

  But of course it doesn't work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/969198/+subscriptions