openerp-india team mailing list archive

Thread
Date

[Bug 969198] Re: Any Employee has full CRUD of every other Employee's Attachments

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: Alan Lord <alanslists@xxxxxxxxx>
Date: Fri, 30 Mar 2012 16:19:17 -0000
Reply-to: Bug 969198 <969198@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for the suggestion but if I understand it correctly, it doesn't
really fix the problem.

If the Employee can only view his own attachments then that won't work.

Think of the main use-case here...

The HR or your line Manager is the one who is just as likely to be
adding attachments to their employees' profiles as the employee
themselves (perhaps even more so), they could be various company
documents and policies etc. not just the highly private ones that are
stored in the Employee's Contracts area.

I think that right now, the way OpenERP configures attachments on an
employee object is a bug. I mean, really would you expect that *anyone*
in your company could come along and add or delete attachments to your
Employee record?

I appreciate that I may have a marginally more specific use-case than
everyone else, but nevertheless I believe that the bug is that
attachments are totally insecure on an employee record.

--
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/969198

Title:
Any Employee has full CRUD of every other Employee's Attachments

Status in OpenERP Addons (modules):
New

Bug description:
We are migrating a customer from 6.0 to 6.1. I raised this issue under
their OpenERP Enterprise contract [573293] but the support team have
asked me to report the bug here.

In the hr.employee module *any* other employee on the system can
create, read or DELETE attachments on any other employee's main page.
This occurs in both Web and GTK Clients.

In my opinion an Employee should be able to read *any* attachment on
their own employee record only. They should be able to remove (delete)
only those attachments which they themselves added.

The HR Manager (& possibly HR User) should be able to add, read and
remove attachments from any employees.

Unfortunately, I do not believe this configuration is possible
currently as the domain rules do not appear to have scope beyond a
single object and the employee_id doesn't match their user_id. I think
to achieve this you need to be able to read the res_id of the
ir.attachment object then, if the res_model is hr.employee, get the
user_id of the appropriate hr.employee record to match against.

I was trying to create an Access Rule like this:

[('user_id','=',user.id),('res_model','=','hr.employee'),('hr.employee[res_id].user_id','=',user.id)]

But of course it doesn't work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/969198/+subscriptions