Odoo Server (MOVED TO GITHUB)

Merge lp:~cubicerp/openobject-server/7.0-fix-bug-1073087-multicompany-access-denied into lp:openobject-server/7.0

  1. 7.0-fix-bug-1073087-multicompany-access-denied
  2. Merge into 7.0
Proposed by Cubic ERP
Status: Rejected
Rejected by: Olivier Dony (Odoo)
Proposed branch: lp:~cubicerp/openobject-server/7.0-fix-bug-1073087-multicompany-access-denied
Merge into: lp:openobject-server/7.0
Diff against target: 12 lines (+1/-1)
1 file modified
openerp/osv/orm.py (+1/-1)
To merge this branch: bzr merge lp:~cubicerp/openobject-server/7.0-fix-bug-1073087-multicompany-access-denied
Reviewer Review Type Date Requested Status
Olivier Dony (Odoo) Disapprove
Review via email: mp+151602@code.launchpad.net

Description of the change

Patch to fix the bug 1073087 multi company Access Denied Document type: Partner, Operation: read

https://bugs.launchpad.net/openobject-addons/+bug/1073087

To post a comment you must log in.
Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :

Hello,

Thanks for taking the time to submit a patch to fix this issue.

Unfortunately your patch is not correct, what it does will break the access right system of OpenERP. It would allow users to bypass all access rules and perform operations on records on unauthorized records as long as they also touch one record that they can access - this is a dangerous security hole.

In addition the root cause of the problem here is no the security rules system but a synchronization issue between the "company_id" of the current user and the "company_id" of the partner linked to the current user. This is the part that needs to be fixed, not the rules system or the rules themselves.

For more details you can have a look at this other merge proposal that attempts to fix the issue:
   https://code.launchpad.net/~openerp-dev/openobject-server/7.0-opw-591308-jam/+merge/158311

Thanks again for your contribution!

review: Disapprove
Revision history for this message
Cubic ERP (cubicerp) wrote :

Dear Oliver, please explain me about your test realized to you said:

"... what it does will break the access right system of OpenERP. It would allow users to bypass all access rules and perform operations on records on unauthorized records as long as they also touch one record that they can access - this is a dangerous security hole..."

I need review your tests because on my tests it isn't a security hole.

best regards.

Unmerged revisions

4870. By Cubic ERP

[FIX] _check_record_rules_result_count on missing_ids, wrong message Access Denied by record rules operation

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'openerp/osv/orm.py'
2--- openerp/osv/orm.py 2013-02-11 14:36:47 +0000
3+++ openerp/osv/orm.py 2013-03-04 19:42:22 +0000
4@@ -3847,7 +3847,7 @@
5 the length of `ids`, and raise an appropriate exception if it does not.
6 """
7 ids, result_ids = set(ids), set(result_ids)
8- missing_ids = ids - result_ids
9+ missing_ids = not (result_ids.issubset(ids) and result_ids) and ids - result_ids #YT 3/3/2013 #ids - result_ids
10 if missing_ids:
11 # Attempt to distinguish record rule restriction vs deleted records,
12 # to provide a more specific error message - check if the missinf