ORM: search should return empty list when meeting a NULL many2one in the middle of the evaluation of a chained domain expression.
Bug #598454 reported by
Julien Thewys
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Fix Released
|
Medium
|
OpenERP's Framework R&D |
Bug Description
Search should return empty list when meeting a NULL many2one in the middle of the evaluation of a chained domain expression.
Given the record rule domain:
[('employee_
Without the patch, the domain also matches objects whose employee is not in a department, i.e. it explicitly searches for object for which 'employee_
This behavior is a security risk (potential information leakage).
I guess there could be a better way than my patch to handle this.
Related branches
summary: |
- Search should return empty list when meeting a NULL many2one in the + ORM: search should return empty list when meeting a NULL many2one in the middle of the evaluation of a chained domain expression. |
Changed in openobject-server: | |
status: | Opinion → Confirmed |
Changed in openobject-server: | |
assignee: | nobody → OpenERP's Framework R&D (openerp-dev-framework) |
importance: | Undecided → Medium |
milestone: | 6.0 → 6.0-rc2 |
Changed in openobject-server: | |
status: | Confirmed → In Progress |
Changed in openobject-server: | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
Hi Julien,
From my point of view, no code should pass such a condition to server.
Domain has always to be trustworthy.
We have such a 'insulation' on ir_rule.py's _domain_force_get() method.
Thanks.