← Back to team overview

openerp-india team mailing list archive

[Bug 1104163] [NEW] [7.0] Record rules for 'stock.picking' are not enforced on 'stock.picking.out' when displaying tree view

 

Public bug reported:

How to reproduce:
1. Create new database with demo data
2. Enable 'Technical Features' and 'Multi Companies' for administrator
3. install 'warehouse' module
4. Edit user 'demo': 
  - change company to 'Your Company, Birmingham shop'
  - change allowed companies to 'Your Company, Birmingham shop'
5. Create a delivery order as administrator to any of the partners, but make sure that the company is set to 'Your Company' in 'Additional Info' tab
6. Log out and log in as 'demo' user
7. Go to Warehouse/Delivery Orders and see OUT/00001 which this user shouldn't be able to see.
8. Click on delivery order OUT/00001 and error pops up:
" Access Denied
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: Picking List, Operation: read)"

I traced this error to the following issue. 
To display tree list OpenErp calls search() method on the objects it displaying. In this case it is 'stock.picking.out'. Search method checks access rights and access rules and since there are no access rules for 'stock.picking.out' it displays the delivery order.

** Affects: openobject-addons
     Importance: Undecided
         Status: New

** Patch added: "stock.patch"
   https://bugs.launchpad.net/bugs/1104163/+attachment/3498347/+files/stock.patch

** Patch removed: "stock.patch"
   https://bugs.launchpad.net/openobject-addons/+bug/1104163/+attachment/3498347/+files/stock.patch

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1104163

Title:
  [7.0] Record rules for 'stock.picking' are not enforced on
  'stock.picking.out' when displaying tree view

Status in OpenERP Addons (modules):
  New

Bug description:
  How to reproduce:
  1. Create new database with demo data
  2. Enable 'Technical Features' and 'Multi Companies' for administrator
  3. install 'warehouse' module
  4. Edit user 'demo': 
    - change company to 'Your Company, Birmingham shop'
    - change allowed companies to 'Your Company, Birmingham shop'
  5. Create a delivery order as administrator to any of the partners, but make sure that the company is set to 'Your Company' in 'Additional Info' tab
  6. Log out and log in as 'demo' user
  7. Go to Warehouse/Delivery Orders and see OUT/00001 which this user shouldn't be able to see.
  8. Click on delivery order OUT/00001 and error pops up:
  " Access Denied
  The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
  (Document type: Picking List, Operation: read)"

  I traced this error to the following issue. 
  To display tree list OpenErp calls search() method on the objects it displaying. In this case it is 'stock.picking.out'. Search method checks access rights and access rules and since there are no access rules for 'stock.picking.out' it displays the delivery order.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1104163/+subscriptions


Follow ups

References