Relation models for Many2Many doesn't have ir.model.access record as they are
just ModelSQL but not ModelView.
So I think we must remove create, read, write and delete from _rpc.
If everybody agree on the fix, I propose this way of working:
- Push the fix in trunk and all supported series in one time
- Make a release for every series (preferably the same day)
- Publish a security news that explains the issue.
Could you please push also the fix for version 1.6 to codereview. This is the
version in Debian stable and only this fix will be accepted, not an update to
current 1.6.x.
With this fix I would like to coordinate with the security team to have approval
for simultaneous uploads to stable and unstable.
Would you like to get a CVE number? AFAIK the security team could assign one.
CVE-2012-0215 was assigned by the Debian project to this issue.
The according ticket is:
The Tryton project discovered a vulnerability caused by missing checks of
access permissions on certain models in the Tryton server. The fix consists of
disabling 'create', 'write', 'delete' and 'copy' actions via rpc for those
models.
Please include the CVE number in all commit messages and news related to the
subject.
On 24/03/12 13:03 +0100, Mathias Behrle wrote:
>
> Mathias Behrle <mathias.behrle@gmx.de> added the comment:
>
> >From our (the Debian) side we are prepared to do the uploads.
>
> I propose Mo, 26.03 as release date. Is this ok for you?