Merge lp:~cubicerp/openobject-server/7.0-fix-bug-1073087-multicompany-access-denied into lp:openobject-server/7.0
Proposed by
Cubic ERP
Status: | Rejected |
---|---|
Rejected by: | Olivier Dony (Odoo) |
Proposed branch: | lp:~cubicerp/openobject-server/7.0-fix-bug-1073087-multicompany-access-denied |
Merge into: | lp:openobject-server/7.0 |
Diff against target: |
12 lines (+1/-1) 1 file modified
openerp/osv/orm.py (+1/-1) |
To merge this branch: | bzr merge lp:~cubicerp/openobject-server/7.0-fix-bug-1073087-multicompany-access-denied |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Olivier Dony (Odoo) | Disapprove | ||
Review via email: mp+151602@code.launchpad.net |
Description of the change
Patch to fix the bug 1073087 multi company Access Denied Document type: Partner, Operation: read
To post a comment you must log in.
Hello,
Thanks for taking the time to submit a patch to fix this issue.
Unfortunately your patch is not correct, what it does will break the access right system of OpenERP. It would allow users to bypass all access rules and perform operations on records on unauthorized records as long as they also touch one record that they can access - this is a dangerous security hole.
In addition the root cause of the problem here is no the security rules system but a synchronization issue between the "company_id" of the current user and the "company_id" of the partner linked to the current user. This is the part that needs to be fixed, not the rules system or the rules themselves.
For more details you can have a look at this other merge proposal that attempts to fix the issue: /code.launchpad .net/~openerp- dev/openobject- server/ 7.0-opw- 591308- jam/+merge/ 158311
https:/
Thanks again for your contribution!