Comment 3 for bug 1157839
Revision history for this message
| Olivier Dony (Odoo) (odo-openerp) wrote Re: Set admin email through chatter function | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Hi Ludo,
Your analysis is quite correct, and this stems from the fact that "res.users" inherits from "res.partner". Among the inherited fields there will be the email field, which is therefore editable for any user that has management access on the partners.
There is no need for more convoluted steps than this: Partner Managers can edit any user, so if reset password is enabled on login page they can hijack the admin account.
We must restrict operations on the res.partner records that are parent of res.users, so that at least the email field cannot be edited.
Thanks for reporting!