← Back to team overview

openerp-india team mailing list archive

  1. openerp-india team
  2. Mailing list archive
  3. Message #23002

[Bug 1116202] [NEW] Attached To directory empty

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Version 7.0-20130205-000102


Install knowledge module (by default here is a directory name Employee defined as Folders per resource)

Let's say I am a manager of human resources.

Human resources -> Employees -> Select an employee -> add attachment


The attachment is uploaded. 


When you go to Knowledge the document is there but everybody can see that document. Because the directory is empty.

So every user who was access to knowledge no matter what attachment is
added using the above method is public to everyone.

So if a add as attachment a pdf document to one of my partners every
employee can see that document if I don't set up in the knowledge
section a directory with view restriction. Even worse everybody can
delete that attachment because it doesn't go to a directory.

Maybe I didn't understand how attachment supposed to work but this is a
huge security problem in document management using attachments.


Last thing. Lets' say I use the knowledge module and add document to specific directory with user restrictions. There is no option to not let  or let those users delete my file. Everybody can edit and do anything he wants.

** Affects: openobject-addons
     Importance: Undecided
         Status: New


** Tags: v7

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1116202

Title:
  Attached To directory empty

Status in OpenERP Addons (modules):
  New

Bug description:
  Version 7.0-20130205-000102

  
  Install knowledge module (by default here is a directory name Employee defined as Folders per resource)

  Let's say I am a manager of human resources.

  Human resources -> Employees -> Select an employee -> add attachment

  
  The attachment is uploaded. 

  
  When you go to Knowledge the document is there but everybody can see that document. Because the directory is empty.

  So every user who was access to knowledge no matter what attachment is
  added using the above method is public to everyone.

  So if a add as attachment a pdf document to one of my partners every
  employee can see that document if I don't set up in the knowledge
  section a directory with view restriction. Even worse everybody can
  delete that attachment because it doesn't go to a directory.

  Maybe I didn't understand how attachment supposed to work but this is
  a huge security problem in document management using attachments.

  
  Last thing. Lets' say I use the knowledge module and add document to specific directory with user restrictions. There is no option to not let  or let those users delete my file. Everybody can edit and do anything he wants.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1116202/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next