Comment 1 for bug 1066580

Hi Christophe,

Could you please elaborate on your bug report? I think you're familiar enough with the OpenERP framework to know that all of the following things are orthogonal:
- access rights (CRUD permissions on models a.k.a database tables)
- record rules (global or group-local per-record filtering rules)
- menu visibility (based on groups but not necessarily linked to access rights - you might not see a menu to something you can read)
- web client URL mapping to OpenERP actions (a desired feature is that URLs clearly and directly map to corresponding OpenERP actions and records)

Based on these premises, I assume you are only concerned about the default access rights and rules that are set for crm.lead records? (even though your description seems to focus on URL replay?)

The result you are describing in your report is the expected result, given the fact that the CRM module grant read access to all leads to all Employees by default. I agree that this may not be 100% consistent with the presence of the "User - See All Leads" Group, but this is only a default configuration setting - it should be reviewed just like all other access rights when setting up a new deployment.
Also keep in mind that Employees may only read the leads, but they may not modify them in any way - they need one of the "User - See XXX Leads" groups to do so.

We should not change this in stable versions, as many installations could depend on the current settings. If anyone is concerned about it and did not properly review the access right during deployment, they can still simply change the default access rights.

For 7.0 however it might be possible to drop this default access right on Employee and keep it exclusively on the "User - See XXX Leads" groups, provided this does not break anything else. Is that what you had in mind?

Thanks in advance for providing some more details on your bug report...