openerp-india team mailing list archive

Thread
Date

[Bug 969198] Re: Any Employee has full CRUD of every other Employee's Attachments

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <969198@xxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Mar 2012 15:43:59 -0000
Reply-to: Bug 969198 <969198@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hello Alan,

I'm not sure if this is a real bug or more of a specific customization
that you want to add for certain companies...

You might be able to do it with a pair of Record Rules if you change your requirement to be: "employees can only see attachments that they created themselves, regardless". For example the normal employee group would have one rule to restrict access to employee attachments:
   ['|',('res_model','!=','hr.employee'),('user_id','=',user.id)]

and the HR Manager/HR Officer groups would have a Rule that cancels the normal rule for employees:
   [(1,'=',1)]


Now if you really need to have a special permission for your own employee attachments you probably need to extend the user model by adding an "employee_id" relationship that can be used to check for this special case:
  ['|',('res_model','!=','hr.employee'),'|',('user_id','=',user.id),('res_id','=',user.employee_id.id)]
If the "employee_id" field was automatically computed by looking for the only employee that matches the user, it would make everything quite simple. We might add such a field in the future indeed, as there are many cases where this "reverse" relationship would be useful.

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/969198

Title:
  Any Employee has full CRUD of every other Employee's Attachments

Status in OpenERP Addons (modules):
  New

Bug description:
  We are migrating a customer from 6.0 to 6.1. I raised this issue under
  their OpenERP Enterprise contract [573293] but the support team have
  asked me to report the bug here.

  In the hr.employee module *any* other employee on the system can
  create, read or DELETE attachments on any other employee's main page.
  This occurs in both Web and GTK Clients.

  In my opinion an Employee should be able to read *any* attachment on
  their own employee record only. They should be able to remove (delete)
  only those attachments which they themselves added.

  The HR Manager (& possibly HR User) should be able to add, read and
  remove attachments from any employees.

  Unfortunately, I do not believe this configuration is possible
  currently as the domain rules do not appear to have scope beyond a
  single object and the employee_id doesn't match their user_id. I think
  to achieve this you need to be able to read the res_id of the
  ir.attachment object then, if the res_model is hr.employee, get the
  user_id of the appropriate hr.employee record to match against.

  I was trying to create an Access Rule like this:

  [('user_id','=',user.id),('res_model','=','hr.employee'),('hr.employee[res_id].user_id','=',user.id)]

  But of course it doesn't work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/969198/+subscriptions