Odoo Server (MOVED TO GITHUB)

Merge lp:~openerp-dev/openobject-server/trunk-bug-917524-mtr into lp:openobject-server

  1. trunk-bug-917524-mtr
  2. Merge into trunk
Proposed by Meera Trambadia (OpenERP)
Status: Work in progress
Proposed branch: lp:~openerp-dev/openobject-server/trunk-bug-917524-mtr
Merge into: lp:openobject-server
Diff against target: 18 lines (+8/-0)
1 file modified
openerp/addons/base/security/base_security.xml (+8/-0)
To merge this branch: bzr merge lp:~openerp-dev/openobject-server/trunk-bug-917524-mtr
Reviewer Review Type Date Requested Status
Raphael Collet (OpenERP) (community) Needs Fixing
qdp (OpenERP) Pending
Review via email: mp+90431@code.launchpad.net

Description of the change

base/security: added and modify record rule for ir.values for configuration and employee groups --fixes=lp:917524

To post a comment you must log in.
Revision history for this message
Raphael Collet (OpenERP) (rco-openerp) wrote :

Be careful, with this change all users have full access to ir.values!

Before you had a *global* ir.model.access (access_ir_values_group_all) with a *global* ir.rule (ir_values_default_rule) that restricts write, create and delete accesses with a domain. Now that the ir.rule becomes local, the global ir.model.access gives all users full access without a domain! In other words, the local ir.rule has no effect in this situation.

I suggest the following change:
 - make the ir.model.access 'access_ir_values_group_all' global, but with *read* permission only;
 - create an ir.model.access for group 'group_system' with all permissions;
 - create an ir.model.access for group 'group_user', with all permissions;
 - make the ir.rule 'ir_values_default_rule' local to 'group_user'.

With that change, we have the expected access rights:
 - all users have read access to ir.values;
 - users of 'group_user' have write, create, and delete access limited to "their" values;
 - users of 'group_system' have full access to all ir.values.

Thanks,
Raphael

review: Needs Fixing
Reply
lp:~openerp-dev/openobject-server/trunk-bug-917524-mtr updated
3985. By Meera Trambadia (OpenERP)

[MERGE] branch merged with lp:openobject-server

3986. By Meera Trambadia (OpenERP)

[MERGE] branch merged with lp:openobject-server

Unmerged revisions

3986. By Meera Trambadia (OpenERP)

[MERGE] branch merged with lp:openobject-server

3985. By Meera Trambadia (OpenERP)

[MERGE] branch merged with lp:openobject-server

3984. By Meera Trambadia (OpenERP)

[FIX] base: added and modify record rule for ir.values for configuration and employee groups

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'openerp/addons/base/security/base_security.xml'
--- openerp/addons/base/security/base_security.xml 2011-12-02 16:14:56 +0000
+++ openerp/addons/base/security/base_security.xml 2012-02-14 05:14:18 +0000
@@ -72,6 +72,14 @@
72 <field name="model_id" ref="model_ir_values"/>72 <field name="model_id" ref="model_ir_values"/>
73 <field name="domain_force">[('key','=','default'),('user_id','=',user.id)]</field>73 <field name="domain_force">[('key','=','default'),('user_id','=',user.id)]</field>
74 <field name="perm_read" eval="False"/>74 <field name="perm_read" eval="False"/>
75 <field name="groups" eval="[(4,ref('group_user'))]"/>
76 </record>
77
78 <record model="ir.rule" id="ir_values_all_rule">
79 <field name="name">All: alter all values</field>
80 <field name="model_id" ref="model_ir_values"/>
81 <field name="domain_force">[(1,'=',1)]</field>
82 <field name="groups" eval="[(4,ref('group_system'))]"/>
75 </record>83 </record>
7684
77 <!-- Used for dashboard customizations, users should only be able to edit their own dashboards -->85 <!-- Used for dashboard customizations, users should only be able to edit their own dashboards -->