Record rules for 'stock.picking' are not enforced on 'stock.picking.out' when displaying tree view
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Odoo Addons (MOVED TO GITHUB) |
Fix Released
|
Medium
|
OpenERP R&D Addons Team 2 | ||
Bug Description
How to reproduce:
1. Create new database with demo data
2. Enable 'Technical Features' and 'Multi Companies' for administrator
3. install 'warehouse' module
4. Edit user 'demo':
- change company to 'Your Company, Birmingham shop'
- change allowed companies to 'Your Company, Birmingham shop'
5. Create a delivery order as administrator to any of the partners, but make sure that the company is set to 'Your Company' in 'Additional Info' tab
6. Log out and log in as 'demo' user
7. Go to Warehouse/Delivery Orders and see OUT/00001 which this user shouldn't be able to see.
8. Click on delivery order OUT/00001 and error pops up:
" Access Denied
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: Picking List, Operation: read)"
I traced this error to the following issue.
To display tree list OpenErp calls search() method on the objects it displaying. In this case it is 'stock.
Related branches
- Yannick Vaucher @ Camptocamp (community): Approve (code)
- Alexandre Fayolle - camptocamp (community): Approve (code review, test)
- Olivier Dony (Odoo): Approve (technical, no test)
- Amit Dodiya (OpenERP) (community): Needs Resubmitting
- Xavier ALT: Pending requested
- Naresh(OpenERP): Pending requested
-
Diff: 29 lines (+12/-0)1 file modifiedstock/stock.py (+12/-0)
| Egor Tsinko (etsinko) wrote | #2 |
| summary: |
- [7.0] Record rules for 'stock.picking' are not enforced on - 'stock.picking.out' when displaying tree view + Record rules for 'stock.picking' are not enforced on 'stock.picking.out' + when displaying tree view |
| Changed in openobject-addons: | |
| status: | New → Confirmed |
| Changed in openobject-addons: | |
| importance: | Undecided → Medium |
| assignee: | nobody → OpenERP R&D Addons Team 2 (openerp-dev-addons2) |
| Changed in openobject-addons: | |
| status: | Confirmed → In Progress |
| status: | In Progress → Confirmed |
| Amit Dodiya (OpenERP) (ado-openerp) wrote | #3 |
| Olivier Dony (Odoo) (odo-openerp) wrote | #4 |
| no longer affects: | openobject-addons/trunk |
| Changed in openobject-addons: | |
| status: | Confirmed → Fix Released |
| no longer affects: | openobject-addons/7.0 |
| Changed in openobject-addons: | |
| milestone: | none → 7.0 |
| Oliver Yuan (oliver-yuan) wrote | #5 |
Hello,
For 7.0 this issue is fixed with following branch:
branch: lp:~openerp-dev/openobject-addons/7.0-opw-590100-ado
revision-id: <email address hidden>
revision-no: 8914
Soon our experts will review and merge it with stable(7.0) addons.
Regards,
Amit