Several security flaws
|OpenERP's Framework R&D|
Any user that must be able to create a document with a workflow such as 'sale.order' must have write/create rights on workflow item and instance models. This means the user will be able to modify the workflow step of any document in the system such as invoices even if he has no rights on invoices. This will desynchronize model's 'state' field with the workflow step leaving a messy system.
'ir.attachment' already has this point solved so the same solution should be applied here for 'instance' and 'workitem' models.
I think similar issues apply to other models that affect the way OpenERP works (haven't deeply checked them):
- In 'ir.rule': one must give read access to 'ir.rule' to all users. Do we really want to let users know what restrictions are being applied to them?
- In 'ir.property': Isn't it possible for any user access any information only because it must be given read access to 'ir.property' model?
- In 'ir.sequence': If a user must have access to a sequence to create 'sale.order', he will have access to other sequences as well. (Right, you can create rules for that but it really is not sensible to ask that to administrator).
- In 'ir.default': Do we want to let users see what other users set as default value for themselves?
- In 'ir.model.access': Do we want to let users see what other users are allowed to see and what not?
- In 'ir.translation': We're letting any user read and probably overwrite information of data they may not be allowed to access.
And basically any model that is given at least read access to all users should be analyzed.
|Changed in openobject-server:|
|status:||Triaged → Incomplete|