openerp-india team mailing list archive

["Olivier Dony \(OpenERP\)" <1087125@xxxxxxxxxxxxxxxxxx>]

I agree, the anonymous user should not benefit from the magic bypass
that lets normal users set their own preferences.

Practically this will have little effect because in anonymous mode the
client should use per-session preferences rather than per-user
preferences (since the user is shared by many client sessions). But it
is more correct anyway. But it is better to clearly prevent it so there
is no doubt about the expected behavior.

i.e. the anonymous module should inherit res.users.write() and raise
whenever the current uid is the anonymous user

** Changed in: openobject-server
   Importance: Undecided => Low

** Changed in: openobject-server
       Status: Incomplete => Confirmed

** Changed in: openobject-server
    Milestone: None => 7.0

** Changed in: openobject-server
     Assignee: (unassigned) => OpenERP's Framework R&D (openerp-dev-framework)

** Summary changed:

- [trunk] Anonymous user allow change them TimeZone
+ [trunk] Anonymous user should not be able to change its stored user preferences

** Project changed: openobject-server => openobject-addons

** Changed in: openobject-addons
    Milestone: 7.0 => None

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/1087125

Title:
  [trunk] Anonymous user should not be able to change its stored user
  preferences

Status in OpenERP Addons (modules):
  Confirmed

Bug description:
  Hello.

  IMHo, this user should be treated a little more especial, change
  timezone and any feature should be blocked.

  Cool feature but unsecure and incomplete from this PoV.

  Regards.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1087125/+subscriptions