openerp-india team mailing list archive
-
openerp-india team
-
Mailing list archive
-
Message #20367
[Bug 1084411] Re: [trunk] Crossing ACL make not readable ir.ui.menu model.
Hello,
This bug cannot be reproduced anymore in trunk, as anonymous portal has
been fixed before the release. I therefore set this bug as fixed.
Best regards,
** Changed in: openobject-addons
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1084411
Title:
[trunk] Crossing ACL make not readable ir.ui.menu model.
Status in OpenERP Addons (modules):
Fix Released
Bug description:
Hello.
If you try to read ir.ui.menu with anonymous user, there are a cross
acl related with the read af res.partner model that avoid read this
element.
How replicate?
install auth_anonymous module [To have anonymous user available].
install mail module (it is who introduce the bug)
Set a password to this user.
Try to login to this user.
What do i got:
------------
Access Denied
Sorry, you are not allowed to access this document. Only users with the following access level are currently allowed to do that:
- Portal
- Contact Creation
- Human Resources/Employee
(Document model: res.partner)
------------
What do i expect:
Blank page without access to anything.
The main issue is that some overwritting in search is asking for
res.partner IMHO this is a security breach even giving access to
SUPERUSER_ID, a use Just must see models explícit in them ACL.
How verify deeper:
Install DB (no modules)
Just install a new db
install auth_anonymous module [To have anonymous user available].
Login as anonymous.
What i expect is what happends, loged in a blank screen.
Solutions:
1.- Verify mail module.
2.- Yaml test to log in to system to verify other modules are not presenting the same problem.
Thanks a lot.!
To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1084411/+subscriptions
References
