← Back to team overview

openerp-india team mailing list archive

  1. openerp-india team
  2. Mailing list archive
  3. Message #18645

[Bug 1084411] [NEW] [trunk] Crossing ACL make not readable ir.ui.menu model.

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Hello.

If you try to read ir.ui.menu with anonymous user, there are a cross acl
related with the read af res.partner model that avoid read this element.

How replicate?

install auth_anonymous module [To have anonymous user available].
install mail module (it is who introduce the bug)
Set a password to this user.
Try to login to this user.

What do i got:
------------
Access Denied

Sorry, you are not allowed to access this document. Only users with the following access level are currently allowed to do that:
- Portal
- Contact Creation
- Human Resources/Employee

(Document model: res.partner)
------------

What do i expect:
Blank page without access to anything.

The main issue is that some overwritting in search is asking for
res.partner IMHO this is a security breach even giving access to
SUPERUSER_ID, a use Just must see models explícit in them ACL.

How verify deeper:

Install DB (no modules)
Just install a new db
install auth_anonymous module [To have anonymous user available].
Login as anonymous.
What i expect is what happends, loged in a blank screen.


Solutions:
1.- Verify mail module.
2.- Yaml test to log in to system to verify other modules are not presenting the same problem.

Thanks a lot.!

** Affects: openobject-addons
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1084411

Title:
  [trunk] Crossing ACL make not readable ir.ui.menu model.

Status in OpenERP Addons (modules):
  New

Bug description:
  Hello.

  If you try to read ir.ui.menu with anonymous user, there are a cross
  acl related with the read af res.partner model that avoid read this
  element.

  How replicate?

  install auth_anonymous module [To have anonymous user available].
  install mail module (it is who introduce the bug)
  Set a password to this user.
  Try to login to this user.

  What do i got:
  ------------
  Access Denied

  Sorry, you are not allowed to access this document. Only users with the following access level are currently allowed to do that:
  - Portal
  - Contact Creation
  - Human Resources/Employee

  (Document model: res.partner)
  ------------

  What do i expect:
  Blank page without access to anything.

  The main issue is that some overwritting in search is asking for
  res.partner IMHO this is a security breach even giving access to
  SUPERUSER_ID, a use Just must see models explícit in them ACL.

  How verify deeper:

  Install DB (no modules)
  Just install a new db
  install auth_anonymous module [To have anonymous user available].
  Login as anonymous.
  What i expect is what happends, loged in a blank screen.

  
  Solutions:
  1.- Verify mail module.
  2.- Yaml test to log in to system to verify other modules are not presenting the same problem.

  Thanks a lot.!

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1084411/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next