Created on 2014-05-22.00:17:25 by albertca, last changed 12 months ago by ced.
Done with issue4080
Indeed the plan is to remove them. See issue4080
Regarding the use, we sould take in account analytic_lines (see issue3878) it has a dependency with account.move.line, so at least we have to guarantee that no the user can not see analytic lines linked to move_lines without permisions, otherwise you can lead to access_read errors.
I agree to not classify this issue as security. Permissions =! Security, despite this can not serve as a general rule. This one for me is misconfiguration and only applies, if you have access to the server (i.e. you are allowed to log in). @ced: Nevertheless please don't remove me from nosy, I prefer to receive all mails that relate to security subjects, even if they are classified otherwise later.
For the record, any “missing” record rule or model access will never be a security issue because it is just configuration.
I vote as not a security issue at all.
I think we should add record rules for filtering the current company in account.move and account.move.line. It is currently not an issue from the UI because the action to open account.move from the menu already filters by company but it can be considered a security issue because the user could get data using JSON-RPC for which he should be banned.
status: chatting -> closed
superseder: Remove company record rules
|2019-07-07 11:44:37||ced||set||superseder: + Remove company record rules|
|2017-06-14 16:35:54||reviewbot||set||messages: + msg34057|
messages: + msg34056
|2017-06-14 16:03:19||pokoli||set||messages: + msg34055|
|2017-06-14 15:55:49||resteve||set||reviews: 39431002|
nosy: + resteve
messages: + msg34054
keyword: + review
messages: + msg16898
messages: + msg16896
|2014-05-22 15:25:04||albertca||set||messages: + msg16895|
messages: + msg16890
Showing 10 items. Show all history (warning: this could be VERY long)