Odoo Addons (MOVED TO GITHUB)

users share field group access incorrect

Bug #863089 reported by Hannes (Neobis) on 2011-09-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Odoo Addons (MOVED TO GITHUB)	Fix Released	Low	OpenERP's Framework R&D	Odoo Addons (MOVED TO GITHUB) 6.1

Bug Description

In the module 'share', in the file 'res_users.py' :

In both 'share' field definitions (res.groups and res.users) is the attribute:
groups='share.group_share'

However, this group is not declared anywhere in the 'share' module. I can see the ID 'group_share_user' in the security file. I think this should be used in the 'share' fields.

I found this bug in the addons of OpenERP:
branch: http://bazaar.launchpad.net/~openerp/openobject-addons/6.0/
revno: 4821
(i did not search for other branches, revisions or whatever).

I found this bug because I wanted to learn how the 'groups' attribute on 'fields' works. There is little documentation about this. Might it be deprecated???

Tags:

Related branches

lp:openobject-addons

Revision history for this message

Hannes (Neobis) (nb2) wrote on 2011-09-30:

Exact location:

http://bazaar.launchpad.net/~openerp/openobject-addons/6.0/view/head:/share/res_users.py#L27
http://bazaar.launchpad.net/~openerp/openobject-addons/6.0/view/head:/share/res_users.py#L36

Revision history for this message

Olivier Dony (Odoo) (odo-openerp) wrote on 2011-09-30:

Hi,

To answer your question, the `groups` attribute that you can put on fields will restrict its visibility (in the UI) to only members of the named groups. It's not deprecated, and may be a comma-separated list of groups, in which case it will be visible to users of all the mentioned groups.
This is by no means a security mechanism (hence this is not a security bug), it's only present to customize views, and will not enforce any per-field access restriction. You can use it in the python declaration to make it global, or put it in any view, for local effect.

Now you're right, the correct ID of the group is 'share.group_share_user'. However this is of no consequence here, because the 'share' field is not displayed in users/groups form/list views at all, it's an internal flag to track 'share users'.
And it's simply not included in any form/list view, so that's fine. It should only be in the search view, along with the special 'no_share' filter used to hide 'share_users' by default, and visible by everyone.

The unnecessary and incorrect `groups` attributes should still be removed, as they're just confusing. This was done in trunk at revision 5239 revid: <email address hidden>

Thanks for reporting!

Changed in openobject-addons:
assignee:	nobody → OpenERP's Framework R&D (openerp-dev-framework)
importance:	Undecided → Low
milestone:	none → 6.1
status:	New → Fix Released
security vulnerability:	yes → no
visibility:	private → public

Revision history for this message

Hannes (Neobis) (nb2) wrote on 2011-09-30:

Thanks Olivier!

1 question left, if I may...
I'm working on the official training material of OpenERP and there is a (hidden) part about per-field access restrictions. I'm wondering if this will be included anytime soon, since this link (https://bugs.launchpad.net/openobject-client/+bug/854849/comments/1) tells me there is no way to do this currently.

A data record in XML for ir_model_fields_group_rel is the only way I can think of. But I suppose this is not yet training material.

Thanks again!

Revision history for this message

Olivier Dony (Odoo) (odo-openerp) wrote on 2011-09-30: Re: [Bug 863089] Re: users share field group access incorrect

On 09/30/2011 11:13 AM, NEOBIS2 wrote:
> I'm wondering if this will be included anytime soon, since this link
> (https://bugs.launchpad.net/openobject-client/+bug/854849/comments/1)

It's not in the roadmap as far as I know, but it's possible that invitu
(poster of bug 854849) will contribute or sponsor something along those
lines eventually.

> But I suppose this is not yet training material.

Indeed, per-field access control is not supported at the moment, so
there is nothing to teach about it, except that it's not supported ;-)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.