openerp-india team mailing list archive

[CBWhiz <CBWhiz@xxxxxxxxx>]

*** This bug is a duplicate of bug 1094212 ***
    https://bugs.launchpad.net/bugs/1094212

This also affects the standard multi_company rule on res.partner for the
same reason.

It can be worked around by disabling the rule for read access, but this
is the source of an information leak.

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/1099102

Title:
  Access denied on Res Partner

Status in OpenERP Server:
  Confirmed

Bug description:
  Dear All,

  As Administrator, I create a record rule to restrict access to
  contacts.

  Bellow the rule definition for object "res.partner": 
  ['|','|',('user_id','=',user.id),('user_id','=',False),('parent_id.user_id','=',user.id)]  with rights: Read access only. 
  Then, I attached the "See Own leads" group to this rule. 

  
  When I user of this group try to tape any in the "search bar" of the Sales/Clients menu, He got the following error: 
  Acces denied
  The requested operation cannot be completed due to security restrictions ... 
  Document type: Partner, Operation: Read

  I tried this in a new & empty database. 
  I create an New user (user2) attached to group "See Own Leads".
  We created 2 partners: Test1 with user_id as Admin  and Test2 with user_id as user2

  I logged as User2. From menu "Sales/Clients:
  I see only Test2 (good as record rule works)

  We tested 2 scnenarios:

  Scenario 1:
  - I taped in the search bar the letter "t" which is in Test1 and Test2 partner name) ==> 
  Acces denied
  The requested operation cannot be completed due to security restrictions ... 
  Document type: Partner, Operation: Read

  Scenario 2:
   - I taped in the search bar the letter "k" which is not in Test1 and Test2 partner name) ==> no problem!!!

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/1099102/+subscriptions