Access denied on Res Partner
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Dear All,
As Administrator, I create a record rule to restrict access to contacts.
Bellow the rule definition for object "res.partner":
['|','|
Then, I attached the "See Own leads" group to this rule.
When I user of this group try to tape any in the "search bar" of the Sales/Clients menu, He got the following error:
Acces denied
The requested operation cannot be completed due to security restrictions ...
Document type: Partner, Operation: Read
I tried this in a new & empty database.
I create an New user (user2) attached to group "See Own Leads".
We created 2 partners: Test1 with user_id as Admin and Test2 with user_id as user2
I logged as User2. From menu "Sales/Clients:
I see only Test2 (good as record rule works)
We tested 2 scnenarios:
Scenario 1:
- I taped in the search bar the letter "t" which is in Test1 and Test2 partner name) ==>
Acces denied
The requested operation cannot be completed due to security restrictions ...
Document type: Partner, Operation: Read
Scenario 2:
- I taped in the search bar the letter "k" which is not in Test1 and Test2 partner name) ==> no problem!!!
Changed in openobject-server: | |
status: | New → Confirmed |
This also affects the standard multi_company rule on res.partner for the same reason.
It can be worked around by disabling the rule for read access, but this is the source of an information leak.