openerp-india team mailing list archive
-
openerp-india team
-
Mailing list archive
-
Message #23089
[Bug 1099102] Re: Access denied on Res Partner
*** This bug is a duplicate of bug 1094212 ***
https://bugs.launchpad.net/bugs/1094212
This also affects the standard multi_company rule on res.partner for the
same reason.
It can be worked around by disabling the rule for read access, but this
is the source of an information leak.
--
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/1099102
Title:
Access denied on Res Partner
Status in OpenERP Server:
Confirmed
Bug description:
Dear All,
As Administrator, I create a record rule to restrict access to
contacts.
Bellow the rule definition for object "res.partner":
['|','|',('user_id','=',user.id),('user_id','=',False),('parent_id.user_id','=',user.id)] with rights: Read access only.
Then, I attached the "See Own leads" group to this rule.
When I user of this group try to tape any in the "search bar" of the Sales/Clients menu, He got the following error:
Acces denied
The requested operation cannot be completed due to security restrictions ...
Document type: Partner, Operation: Read
I tried this in a new & empty database.
I create an New user (user2) attached to group "See Own Leads".
We created 2 partners: Test1 with user_id as Admin and Test2 with user_id as user2
I logged as User2. From menu "Sales/Clients:
I see only Test2 (good as record rule works)
We tested 2 scnenarios:
Scenario 1:
- I taped in the search bar the letter "t" which is in Test1 and Test2 partner name) ==>
Acces denied
The requested operation cannot be completed due to security restrictions ...
Document type: Partner, Operation: Read
Scenario 2:
- I taped in the search bar the letter "k" which is not in Test1 and Test2 partner name) ==> no problem!!!
To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/1099102/+subscriptions
References