Merge lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep into lp:~product-core-editors/openerp-product-attributes/7.0

Proposed by Leonardo Pistone on 2014-05-06
Status: Needs review
Proposed branch: lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep
Merge into: lp:~product-core-editors/openerp-product-attributes/7.0
Diff against target: 8 lines (+1/-0)
1 file modified
base_custom_attributes/security/ir.model.access.csv (+1/-0)
To merge this branch: bzr merge lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep
Reviewer Review Type Date Requested Status
Laetitia Gangloff (Acsone) (community) Needs Resubmitting on 2014-07-09
Yannick Vaucher @ Camptocamp code review, no test 2014-05-06 Needs Fixing on 2014-05-07
Review via email:
To post a comment you must log in.

Seems very dangerous to me.

You shouldn't never trust all sale managers. Any sale manager could break the database.

Maybe we could add a boolean on ir model field to know if this is a custom attribute.
Then add a record rule to let CRUD access only on ir_model_fields that belongs to a custom attribute.

review: Needs Fixing (code review, no test)
Leonardo Pistone (lepistone) wrote :

Yannick, I agree with your argument on sale managers.

Still, I was trying to make the smallest fix. Sale Managers already have permissions to change attribute.attribute, and attribute.set. But because attribute.attribute _inherits ir.model.field, they actually can't. There is an inconsistency.

I know security based on views is not security, but still, sales manager don't see the "fields" menu.

What do you suggest?

This project is now hosted on Please move your proposal there. This guide may help you

review: Needs Resubmitting

Unmerged revisions

243. By Leonardo Pistone on 2014-05-06

[fix] allow attributes to be written by non-admin users

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'base_custom_attributes/security/ir.model.access.csv'
2--- base_custom_attributes/security/ir.model.access.csv 2013-11-25 07:17:05 +0000
3+++ base_custom_attributes/security/ir.model.access.csv 2014-05-06 16:45:49 +0000
4@@ -14,3 +14,4 @@
5 access_base_custom_attributes_attribute_attribute_user,base_custom_attributes_attribute_attribute,base_custom_attributes.model_attribute_attribute,base.group_user,1,0,0,0
6 access_base_custom_attributes_attribute_option_user,base_custom_attributes_attribute_option,base_custom_attributes.model_attribute_option,base.group_user,1,0,0,0
7 access_base_custom_attributes_attribute_location_user,base_custom_attributes_attribute_location,base_custom_attributes.model_attribute_location,base.group_user,1,1,1,0
8+access_ir_model_fields_salemanager,ir_model_fields group_sale_manager,base.model_ir_model_fields,base.group_sale_manager,1,1,1,1


People subscribed via source and target branches