openerp-india team mailing list archive

[Rolf Wojtech <rolf.wojtech@xxxxxxxx>]

Public bug reported:

Suppose we have a user U and groups Seller, AdvancedSeller

U is only member of AdvancedSeller.

Now we open the group "AdvancedSeller" and add "Seller" under Inherited Groups.
This works as expected, U becomes a member of Seller, so adding inheritance influences existing users.

Now we open the group AdvancedSeller again and remove "Seller" under Inherited Groups.
With the behaviour from above, I would expect that U gets removed from "Seller"´. However, he remains a seller.

In conclusion, removing inherited groups from a group does not correctly
limit the group's rights.

I think I understand the technical reasons for this: Adding can be done
no matter the previous state of the User, worst case is he already was
in the Seller group and the additional add via inheritance doesn't hurt.

However if we want to apply removed inheritance to the user, we face the
question if he is member of seller ONLY because of the group inheritance
or he was added there manually before the inheritance was introduced.

I am not sure how to resolve this. Maybe group inheritance is inherently
wrong and should be replaced by allowing groups to become members of
groups.

I get that this is almost a feature request but I believe it is a
potential security issue that adding permissions works as intended but
removing permissions on the same way fails without a warning.

At the very least there should be a warning dialog after removal of an
inheritance that reminds the user to manually remove the group ownership

** Affects: openobject-server
     Importance: Undecided
         Status: New


** Tags: group groups inherit inheritance inherited

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/1085012

Title:
  Removal if an inherited group does not remove users from said group

Status in OpenERP Server:
  New

Bug description:
  Suppose we have a user U and groups Seller, AdvancedSeller

  U is only member of AdvancedSeller.

  Now we open the group "AdvancedSeller" and add "Seller" under Inherited Groups.
  This works as expected, U becomes a member of Seller, so adding inheritance influences existing users.

  Now we open the group AdvancedSeller again and remove "Seller" under Inherited Groups.
  With the behaviour from above, I would expect that U gets removed from "Seller"´. However, he remains a seller.

  In conclusion, removing inherited groups from a group does not
  correctly limit the group's rights.

  I think I understand the technical reasons for this: Adding can be
  done no matter the previous state of the User, worst case is he
  already was in the Seller group and the additional add via inheritance
  doesn't hurt.

  However if we want to apply removed inheritance to the user, we face
  the question if he is member of seller ONLY because of the group
  inheritance or he was added there manually before the inheritance was
  introduced.

  I am not sure how to resolve this. Maybe group inheritance is
  inherently wrong and should be replaced by allowing groups to become
  members of groups.

  I get that this is almost a feature request but I believe it is a
  potential security issue that adding permissions works as intended but
  removing permissions on the same way fails without a warning.

  At the very least there should be a warning dialog after removal of an
  inheritance that reminds the user to manually remove the group
  ownership

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/1085012/+subscriptions