Anonymous user can DELETE filters when debug GET parameter is activated
Bug #1130712 reported by
Marcel van der Boom (HS-Development BV)
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Odoo Server (MOVED TO GITHUB) |
Confirmed
|
Medium
|
OpenERP's Framework R&D | ||
Bug Description
When the public portal functionality is activated, the anonymous user can CREATE/DELETE defined filters from the system.
How to reproduce:
1. Activate the public portal functionality
2. specify the debug GET parameter on the url
3. in the debug menu, click 'Manage filters'
4. clear the automatically applied filters (all filters are shown)
5. Select any of the filters and delete it.
Expected behaviour: No display of filters at all.
| information type: | Private Security → Public Security |
Revision history for this message
| Twinkle Christian(OpenERP) (tch-openerp) wrote | #1 |
| affects: | openobject-addons → openobject-server |
| Changed in openobject-server: | |
| assignee: | nobody → OpenERP's Framework R&D (openerp-dev-framework) |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
Revision history for this message
| Olivier Dony (Odoo) (odo-openerp) wrote | #2 |
To post a comment you must log in.
Actually the anonymous user has the same access right by default as other users: they're allowed to create/edit/delete any filter that they own or that is owned by no-one (i.e. shared filters). They will not be able to modify filters that are owned by others.
However this is indeed not appropriate: when logged in as anonymous the user should be able to:
- create filters and view/manage filters that are owned by anonymous
- view global filters (filters with no assigned users) but *not* modify/
This is trickier than it seems based on the way ir.model.access and ir.rules work by default, and might actually require some Python code.