Merge lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep into lp:~product-core-editors/openerp-product-attributes/7.0
Status: | Needs review |
---|---|
Proposed branch: | lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep |
Merge into: | lp:~product-core-editors/openerp-product-attributes/7.0 |
Diff against target: |
8 lines (+1/-0) 1 file modified
base_custom_attributes/security/ir.model.access.csv (+1/-0) |
To merge this branch: | bzr merge lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Laetitia Gangloff (Acsone) (community) | Needs Resubmitting on 2014-07-09 | ||
Yannick Vaucher @ Camptocamp | code review, no test | 2014-05-06 | Needs Fixing on 2014-05-07 |
Review via email:
|
Leonardo Pistone (lepistone) wrote : | # |
Yannick, I agree with your argument on sale managers.
Still, I was trying to make the smallest fix. Sale Managers already have permissions to change attribute.
I know security based on views is not security, but still, sales manager don't see the "fields" menu.
What do you suggest?
This project is now hosted on https:/
Unmerged revisions
- 243. By Leonardo Pistone on 2014-05-06
-
[fix] allow attributes to be written by non-admin users
Seems very dangerous to me.
You shouldn't never trust all sale managers. Any sale manager could break the database.
Maybe we could add a boolean on ir model field to know if this is a custom attribute.
Then add a record rule to let CRUD access only on ir_model_fields that belongs to a custom attribute.