openerp-india team mailing list archive
-
openerp-india team
-
Mailing list archive
-
Message #23771
[Bug 1130712] Re: Anonymous user can DELETE filters when debug GET parameter is activated
Actually the anonymous user has the same access right by default as
other users: they're allowed to create/edit/delete any filter that they
own or that is owned by no-one (i.e. shared filters). They will not be
able to modify filters that are owned by others.
However this is indeed not appropriate: when logged in as anonymous the user should be able to:
- create filters and view/manage filters that are owned by anonymous
- view global filters (filters with no assigned users) but *not* modify/create/delete them
This is trickier than it seems based on the way ir.model.access and
ir.rules work by default, and might actually require some Python code.
--
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/1130712
Title:
Anonymous user can DELETE filters when debug GET parameter is
activated
Status in OpenERP Server:
Confirmed
Bug description:
When the public portal functionality is activated, the anonymous user
can CREATE/DELETE defined filters from the system.
How to reproduce:
1. Activate the public portal functionality
2. specify the debug GET parameter on the url
3. in the debug menu, click 'Manage filters'
4. clear the automatically applied filters (all filters are shown)
5. Select any of the filters and delete it.
Expected behaviour: No display of filters at all.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/1130712/+subscriptions