Removal if an inherited group does not remove users from said group
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Confirmed
|
Medium
|
OpenERP's Framework R&D |
Bug Description
Suppose we have a user U and groups Seller, AdvancedSeller
U is only member of AdvancedSeller.
Now we open the group "AdvancedSeller" and add "Seller" under Inherited Groups.
This works as expected, U becomes a member of Seller, so adding inheritance influences existing users.
Now we open the group AdvancedSeller again and remove "Seller" under Inherited Groups.
With the behaviour from above, I would expect that U gets removed from "Seller"´. However, he remains a seller.
In conclusion, removing inherited groups from a group does not correctly limit the group's rights.
I think I understand the technical reasons for this: Adding can be done no matter the previous state of the User, worst case is he already was in the Seller group and the additional add via inheritance doesn't hurt.
However if we want to apply removed inheritance to the user, we face the question if he is member of seller ONLY because of the group inheritance or he was added there manually before the inheritance was introduced.
I am not sure how to resolve this. Maybe group inheritance is inherently wrong and should be replaced by allowing groups to become members of groups.
I get that this is almost a feature request but I believe it is a potential security issue that adding permissions works as intended but removing permissions on the same way fails without a warning.
At the very least there should be a warning dialog after removal of an inheritance that reminds the user to manually remove the group ownership
Changed in openobject-server: | |
assignee: | nobody → OpenERP's Framework R&D (openerp-dev-framework) |
importance: | Undecided → Medium |
status: | New → Confirmed |
Update:
I compared this behaviour to redmine and I believe they have a very elegant solution, at least from the user perspective.
You can try it here: http:// demo.redmine. org/
Basically they seem to remember if a user was given permissions individually or as part of a group. It is impossible to manually add or remove permissions that a user was given via the group (greyed out). If a user was member of a project before his group was added, he will remain a member even if you remove his group.
I have not looked at the underlying DB yet but I wanted to point out that his is how I think it should work.