Comment 2 for bug 906449
Revision history for this message
| Olivier Dony (Odoo) (odo-openerp) wrote | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Hi,
Thanks for reporting and providing a patch. I'm confirming this with only "Low" priority because it is not a security vulnerability but rather a bad programming choice that could lead to errors when writing web addons.
When a web addon is installed (which requires an admin), it gets unlimited access to data on the client-side, just like a normal OpenERP addon can do anything with data on the server-side. We'd talk about a security issue if this was possible without having administrative privileges.
Normally we don't handle Low priority bugs via Launchpad anymore for the 6.0 web client (as explained in our bug management policy[1]), but as you provided a patch, I'll assign it to the OpenERP Enterprise (maintenance) team, so they can review your branch and merge it. BTW, you should create a merge proposal for your bugfix branch towards the lp:openobject-client/6.0 branch if you want it to be reviewed. This process is explained in the documentation too[2].
Thanks!
[1] http://
[2] http://