openerp-india team mailing list archive

["Martin Trigaux \(OpenERP\)" <mat@xxxxxxxxxxx>]

Hello,

This issue was created because we have restricted the permissions to
subscribe on a mail.thread object (cf revision 9733 addons 7.0) to add
the access_rules.

The problem with this behaviour is that note.note has a record.rule
based on followers. When subscribing the author to the note, the read
access rules are checked (and not met yet).

To avoid this we now make sure the subscribers are added before the
verification of rules and make sure we trigger the create access rule
and not the read rule when subscribing.

We are not happy about the context hack but as long as we do not have a
proper way to see the operations we have no other choices if we want to
keep a security verification at the record level (which is better than
the previous one at the model level).

Regards

revno: 9812 [merge]
revision-id: mat@xxxxxxxxxxx-20140206121438-epghqo042ync24v5


** Changed in: openobject-addons
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1259913

Title:
  [7.0] When create Note. Access check for read, before write.

Status in OpenERP Addons (modules):
  Fix Released

Bug description:
  When create Note.

  Show message Windows with Access for read note , but it note not write
  yet. Autor not create yet as fallower,  but function in
  "message_subscribe" in mail_thread.py in module mail, check it.

  Access check - it "Only followers can access a sticky notes".

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1259913/+subscriptions