OpenERP Product Attributes

Merge lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep into lp:~product-core-editors/openerp-product-attributes/7.0

  1. 7.0-fix-field-acl-lep
  2. Merge into 7.0
Proposed by Leonardo Pistone
Status: Needs review
Proposed branch: lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep
Merge into: lp:~product-core-editors/openerp-product-attributes/7.0
Diff against target: 8 lines (+1/-0)
1 file modified
base_custom_attributes/security/ir.model.access.csv (+1/-0)
To merge this branch: bzr merge lp:~camptocamp/openerp-product-attributes/7.0-fix-field-acl-lep
Reviewer Review Type Date Requested Status
Laetitia Gangloff (Acsone) (community) Needs Resubmitting
Yannick Vaucher @ Camptocamp code review, no test Needs Fixing
Review via email: mp+218470@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Yannick Vaucher @ Camptocamp (yvaucher-c2c) wrote :

Seems very dangerous to me.

You shouldn't never trust all sale managers. Any sale manager could break the database.

Maybe we could add a boolean on ir model field to know if this is a custom attribute.
Then add a record rule to let CRUD access only on ir_model_fields that belongs to a custom attribute.

review: Needs Fixing (code review, no test)
Reply
Revision history for this message
Leonardo Pistone (lepistone) wrote :

Yannick, I agree with your argument on sale managers.

Still, I was trying to make the smallest fix. Sale Managers already have permissions to change attribute.attribute, attribute.group and attribute.set. But because attribute.attribute _inherits ir.model.field, they actually can't. There is an inconsistency.

I know security based on views is not security, but still, sales manager don't see the "fields" menu.

What do you suggest?

Reply
Revision history for this message
Laetitia Gangloff (Acsone) (laetitia-gangloff) wrote :

This project is now hosted on https://github.com/OCA/product-attribute. Please move your proposal there. This guide may help you https://github.com/OCA/maintainers-tools/wiki/How-to-move-a-Merge-Proposal-to-GitHub

review: Needs Resubmitting
Reply

Unmerged revisions

243. By Leonardo Pistone

[fix] allow attributes to be written by non-admin users

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'base_custom_attributes/security/ir.model.access.csv'
2--- base_custom_attributes/security/ir.model.access.csv 2013-11-25 07:17:05 +0000
3+++ base_custom_attributes/security/ir.model.access.csv 2014-05-06 16:45:49 +0000
4@@ -14,3 +14,4 @@
5 access_base_custom_attributes_attribute_attribute_user,base_custom_attributes_attribute_attribute,base_custom_attributes.model_attribute_attribute,base.group_user,1,0,0,0
6 access_base_custom_attributes_attribute_option_user,base_custom_attributes_attribute_option,base_custom_attributes.model_attribute_option,base.group_user,1,0,0,0
7 access_base_custom_attributes_attribute_location_user,base_custom_attributes_attribute_location,base_custom_attributes.model_attribute_location,base.group_user,1,1,1,0
8+access_ir_model_fields_salemanager,ir_model_fields group_sale_manager,base.model_ir_model_fields,base.group_sale_manager,1,1,1,1

Subscribers

People subscribed via source and target branches