openerp-india team mailing list archive

Thread
Date

[Bug 1130712] Re: Anonymous user can DELETE filters when debug GET parameter is activated

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <1130712@xxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Feb 2013 12:47:27 -0000
Reply-to: Bug 1130712 <1130712@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Actually the anonymous user has the same access right by default as
other users: they're allowed to create/edit/delete any filter that they
own or that is owned by no-one (i.e. shared filters). They will not be
able to modify filters that are owned by others.

However this is indeed not appropriate: when logged in as anonymous the user should be able to:
- create filters and view/manage filters that are owned by anonymous
- view global filters (filters with no assigned users) but *not* modify/create/delete them

This is trickier than it seems based on the way ir.model.access and
ir.rules work by default, and might actually require some Python code.

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/1130712

Title:
  Anonymous user can DELETE filters when debug GET parameter is
  activated

Status in OpenERP Server:
  Confirmed

Bug description:
  When the public portal functionality is activated, the anonymous user
  can CREATE/DELETE defined filters from the system.

  How to reproduce:

  1. Activate the public portal functionality
  2. specify the debug GET parameter on the url
  3. in the debug menu, click 'Manage filters'
  4. clear the automatically applied filters (all filters are shown)
  5. Select any of the filters and delete it.

  Expected behaviour: No display of filters at all.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/1130712/+subscriptions