Merge lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep into lp:~product-core-editors/openerp-product-attributes/7.0

Proposed by Leonardo Pistone on 2014-05-06
Status: Needs review
Proposed branch: lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep
Merge into: lp:~product-core-editors/openerp-product-attributes/7.0
Diff against target: 8 lines (+1/-0)
1 file modified
base_custom_attributes/security/ir.model.access.csv (+1/-0)
To merge this branch: bzr merge lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep
Reviewer Review Type Date Requested Status
Laetitia Gangloff (Acsone) (community) Needs Resubmitting on 2014-07-09
Yannick Vaucher @ Camptocamp code review, no test 2014-05-06 Needs Fixing on 2014-05-07
Review via email: mp+218470@code.launchpad.net
To post a comment you must log in.

Seems very dangerous to me.

You shouldn't never trust all sale managers. Any sale manager could break the database.

Maybe we could add a boolean on ir model field to know if this is a custom attribute.
Then add a record rule to let CRUD access only on ir_model_fields that belongs to a custom attribute.

review: Needs Fixing (code review, no test)
Leonardo Pistone (lepistone) wrote :

Yannick, I agree with your argument on sale managers.

Still, I was trying to make the smallest fix. Sale Managers already have permissions to change attribute.attribute, attribute.group and attribute.set. But because attribute.attribute _inherits ir.model.field, they actually can't. There is an inconsistency.

I know security based on views is not security, but still, sales manager don't see the "fields" menu.

What do you suggest?

This project is now hosted on https://github.com/OCA/product-attribute. Please move your proposal there. This guide may help you https://github.com/OCA/maintainers-tools/wiki/How-to-move-a-Merge-Proposal-to-GitHub

review: Needs Resubmitting

Unmerged revisions

243. By Leonardo Pistone on 2014-05-06

[fix] allow attributes to be written by non-admin users

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'base_custom_attributes/security/ir.model.access.csv'
2--- base_custom_attributes/security/ir.model.access.csv 2013-11-25 07:17:05 +0000
3+++ base_custom_attributes/security/ir.model.access.csv 2014-05-06 16:45:49 +0000
4@@ -14,3 +14,4 @@
5 access_base_custom_attributes_attribute_attribute_user,base_custom_attributes_attribute_attribute,base_custom_attributes.model_attribute_attribute,base.group_user,1,0,0,0
6 access_base_custom_attributes_attribute_option_user,base_custom_attributes_attribute_option,base_custom_attributes.model_attribute_option,base.group_user,1,0,0,0
7 access_base_custom_attributes_attribute_location_user,base_custom_attributes_attribute_location,base_custom_attributes.model_attribute_location,base.group_user,1,1,1,0
8+access_ir_model_fields_salemanager,ir_model_fields group_sale_manager,base.model_ir_model_fields,base.group_sale_manager,1,1,1,1

Subscribers

People subscribed via source and target branches