Merge lp:~akretion-team/ocb-addons/70-addons-fix-payment-acls-bank into lp:ocb-addons

Proposed by Alexis de Lattre
Status: Rejected
Rejected by: Holger Brunn (Therp)
Proposed branch: lp:~akretion-team/ocb-addons/70-addons-fix-payment-acls-bank
Merge into: lp:ocb-addons
Diff against target: 64 lines (+27/-0)
4 files modified
account/security/account_security.xml (+9/-0)
account/security/ir.model.access.csv (+2/-0)
account_payment/security/account_payment_security.xml (+14/-0)
account_payment/security/ir.model.access.csv (+2/-0)
To merge this branch: bzr merge lp:~akretion-team/ocb-addons/70-addons-fix-payment-acls-bank
Reviewer Review Type Date Requested Status
Holger Brunn (Therp) Disapprove
Yannick Vaucher @ Camptocamp Needs Fixing
Raphaël Valyi - Needs Fixing
Review via email:

Description of the change

This MP aims at fixing the issue that I described long ago in this mail :

In short : regular users are usually in the "Contact Creation" group because they need to create/modify partners. By default in OpenERP, it also grants them create/write permissions on bank accounts. If you use OpenERP to generate SEPA files and make payments, a regular user could modify the bank account of a supplier and put it's own bank account instead and receive the payments for the supplier on its own bank account ! As you can imagine, this is a problem :)

This merge proposal follows a discussion that took place in the banking-addons-drivers mailing-list, cf this thread

To post a comment you must log in.
Revision history for this message
Raphaël Valyi - (rvalyi) wrote :

Hello Alexis,

I would gladly approve the merge if:
1) it was linked to a bug report
) there would be a MP for the official addons too as OCB policy requires

That looks like a horrible bureaucracy and at some point it is, but I think we should enforce OCB policy until eventually we re-discuss it and this bureaucracy today is in fact alleviating OCB maintainers work in the long run when eventually OpenERP SA will fix the bug in the official addons.

review: Needs Fixing
Revision history for this message
Yannick Vaucher @ Camptocamp (yvaucher-c2c) wrote :

Aggreed with Raphaël, Please provide a bug report and the same MP on official branch

Thus the bug report will link ocb and official branch fixes.


review: Needs Fixing
Revision history for this message
Alexis de Lattre (alexis-via) wrote :

I won't do a bug report on the official branch myself and a new MP because it will certainly be ignored and I don't have motivation nor time (cf I did this bug report and MP on OCB because other members of the banking-addons mailing-list suggested it ; but it was not my initial idea.

So if a volunteer can take care of that and re-use my patch, he will be more than welcomed.

For those who arrive on this bug report and need an immediate fix, they can use the module
"account_payment_security" from lp:~akretion-team/+junk/70-usability/

Revision history for this message
Holger Brunn (Therp) (hbrunn) wrote :

Development for 7.0 has moved to github on - please move your merge proposal there if it is still valid.

(I close and reject this in order to have a cleaner overview for 6.1 MPs which indeed have to be done on launchpad)

review: Disapprove

Unmerged revisions

9949. By Alexis de Lattre

When the account module is installed, rights for the configuration of bank accounts are transfered from base.group_partner_manager to account.group_account_manager
When the account_payment module is installed, full rights on bank accounts are transfered from base.group_partner_manager to account_payment.group_account_payment because otherwize members of the Contact Creation group could easily divert a payment to a supplier.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'account/security/account_security.xml'
2--- account/security/account_security.xml 2012-10-23 16:05:04 +0000
3+++ account/security/account_security.xml 2014-02-24 21:35:22 +0000
4@@ -30,6 +30,15 @@
5 <field name="name">Check Total on supplier invoices</field>
6 <field name="category_id" ref="base.module_category_hidden"/>
7 </record>
9+ <!-- Remove ACLs that give configuration rights on bank accounts to
10+ to base.group_partner_manager. In the CSV file, we give those rights
11+ to group_account_manager -->
12+ <delete model="ir.model.access"
13+ id="base.access_res_partner_bank_type_group_partner_manager"/>
14+ <delete model="ir.model.access"
15+ id="base.access_res_partner_bank_type_field_group_partner_manager"/>
17 </data>
19 <data noupdate="1">
21=== modified file 'account/security/ir.model.access.csv'
22--- account/security/ir.model.access.csv 2012-10-23 16:05:04 +0000
23+++ account/security/ir.model.access.csv 2014-02-24 21:35:22 +0000
24@@ -98,3 +98,5 @@
25 access_account_treasury_report_manager,,model_account_treasury_report,account.group_account_manager,1,0,0,0
26 access_account_financial_report,,model_account_financial_report,account.group_account_user,1,1,1,1
27 access_account_financial_report_invoice, invoice,model_account_financial_report,account.group_account_invoice,1,0,0,0
28+access_res_partner_bank_type_account_manager,Full access on to Financial Manager,base.model_res_partner_bank_type,group_account_manager,1,1,1,1
29+access_res_partner_bank_type_field_account_manager,Full access on to Financial Manager,base.model_res_partner_bank_type_field,group_account_manager,1,1,1,1
31=== modified file 'account_payment/security/account_payment_security.xml'
32--- account_payment/security/account_payment_security.xml 2012-10-23 16:05:04 +0000
33+++ account_payment/security/account_payment_security.xml 2014-02-24 21:35:22 +0000
34@@ -10,6 +10,20 @@
35 <field name="implied_ids" eval="[(4, ref('group_account_payment'))]"/>
36 </record>
38+ <!-- When the account_payment module is installed, we don't want
39+ users that belong to the "Contract Creation" group
40+ (base.group_partner_manager) to be able to create/modify bank accounts
41+ because they could change bank account information of suppliers
42+ and divert wire transfers to suppliers. So we delete the ACLs
43+ that give create/write access on and to the
44+ group base.group_partner_manager and we add ACLs in the CSV file
45+ that give those rights to members of account_payment.group_account_payment
46+ -->
47+ <delete model="ir.model.access"
48+ id="base.access_res_bank_group_partner_manager"/>
49+ <delete model="ir.model.access"
50+ id="base.access_res_partner_bank_group_partner_manager"/>
52 </data>
53 <data noupdate="1">
56=== modified file 'account_payment/security/ir.model.access.csv'
57--- account_payment/security/ir.model.access.csv 2011-12-19 16:54:40 +0000
58+++ account_payment/security/ir.model.access.csv 2014-02-24 21:35:22 +0000
59@@ -6,3 +6,5 @@
60 access_account_invoice_payment,account.invoice payment,account.model_account_invoice,group_account_payment,1,0,0,0
61 access_account_move_line_payment,account.move.line payment,account.model_account_move_line,group_account_payment,1,0,0,0
62 access_payment_order_manager,payment.order manager,model_payment_order,account.group_account_manager,1,0,0,0
63+access_res_partner_bank_account_payment,Full access on to Account Payment,base.model_res_partner_bank,group_account_payment,1,1,1,1
64+access_res_bank_account_payment,Full access on to Account Payment,base.model_res_bank,group_account_payment,1,1,1,1