[6.0RC1] corporate intelligence - process selection does not respect user/group priviledges
Bug #680934 reported by
Ferdinand
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Odoo Addons (MOVED TO GITHUB) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
i removed accounting from user demo and was able to select customer invoices from process and navigate to accounting entries
IMHO clicking the right bottom icon of process nodes must check user/group read permissions
| security vulnerability: | yes → no |
| visibility: | private → public |
Revision history for this message
| Antony Lesuisse (OpenERP) (al-openerp) wrote | #1 |
| affects: | openobject-client-web → openobject-addons |
| Changed in openobject-addons: | |
| status: | New → Invalid |
To post a comment you must log in.
Thanks for the report.
As sale/user you have the right to see your invoices, removing the group accouting/invoice hides the menu but it's still possible to get access to the invoice from the process or from the history tab of the sale order. However you don't have access to account.move nor account.move.line. Tested with addons revno 4015.