Merge lp:~openerp-dev/openobject-server/trunk-bug-917524-mtr into lp:openobject-server
Proposed by
Meera Trambadia (OpenERP)
Status: | Work in progress | ||||
---|---|---|---|---|---|
Proposed branch: | lp:~openerp-dev/openobject-server/trunk-bug-917524-mtr | ||||
Merge into: | lp:openobject-server | ||||
Diff against target: |
18 lines (+8/-0) 1 file modified
openerp/addons/base/security/base_security.xml (+8/-0) |
||||
To merge this branch: | bzr merge lp:~openerp-dev/openobject-server/trunk-bug-917524-mtr | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Raphael Collet (OpenERP) (community) | Needs Fixing | ||
qdp (OpenERP) | Pending | ||
Review via email: mp+90431@code.launchpad.net |
Description of the change
base/security: added and modify record rule for ir.values for configuration and employee groups --fixes=lp:917524
To post a comment you must log in.
Unmerged revisions
- 3986. By Meera Trambadia (OpenERP)
-
[MERGE] branch merged with lp:openobject-server
- 3985. By Meera Trambadia (OpenERP)
-
[MERGE] branch merged with lp:openobject-server
- 3984. By Meera Trambadia (OpenERP)
-
[FIX] base: added and modify record rule for ir.values for configuration and employee groups
Be careful, with this change all users have full access to ir.values!
Before you had a *global* ir.model.access (access_ ir_values_ group_all) with a *global* ir.rule (ir_values_ default_ rule) that restricts write, create and delete accesses with a domain. Now that the ir.rule becomes local, the global ir.model.access gives all users full access without a domain! In other words, the local ir.rule has no effect in this situation.
I suggest the following change: ir_values_ group_all' global, but with *read* permission only; default_ rule' local to 'group_user'.
- make the ir.model.access 'access_
- create an ir.model.access for group 'group_system' with all permissions;
- create an ir.model.access for group 'group_user', with all permissions;
- make the ir.rule 'ir_values_
With that change, we have the expected access rights:
- all users have read access to ir.values;
- users of 'group_user' have write, create, and delete access limited to "their" values;
- users of 'group_system' have full access to all ir.values.
Thanks,
Raphael