Comment 1 for bug 657013
Revision history for this message
| Olivier Dony (Odoo) (odo-openerp) wrote | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Interesting point Albert, though I'm not sure the proposed solution (a la ir.attachment) is applicable for many cases... sometimes with subflows you may need to trigger chained transitions on object on which you don't have read access. Just think of an Accountant closing an invoice linked to a sale.order : the closing of the invoice finished the subflow and moves a transition on the parent flow (to which the accountant may not have access).
There may be other solutions, such as giving read/write access to workflow tables only to admin and patching the workflow engine to always access these tables as admin.
Important mitigation factors to this security issue:
It requires users to have a valid login on the system, and can only be exploited by bypassing the OpenERP Clients and accessing XML-RPC directly. This is not something regular users can/will do, and is also not exploitable by "the world", even if your server is on not in a private network (like SaaS). Some cases can also be restricted by adding appropriate ir.rules to your database.
Do you have a specific case in mind where this situation causes an immediate and real threat to one of your OpenERP systems?
Note: this is just a comment to let you know my thoughts, we are analyzing the issue with the R&D team.
Thank you for reporting this!