Issue 3932

Missing record rules for account.move and account.move.line
Remove company record rules (issue 4080)
Nosy list
albertca, ced, pokoli, resteve, reviewbot, yangoon
Assigned to

Created on 2014-05-22.00:17:25 by albertca, last changed 12 months ago by ced.


Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-09-23.15:00:01

Done with issue4080

Author: [hidden] (pokoli) Tryton committer Tryton translator
Date: 2017-06-14.16:03:19
Indeed the plan is to remove them. See issue4080
Author: [hidden] (resteve)
Date: 2017-06-14.15:55:49
Author: [hidden] (pokoli) Tryton committer Tryton translator
Date: 2014-05-22.17:12:37
Regarding the use, we sould take in account analytic_lines (see issue3878) it has a dependency with account.move.line, so at least we have to guarantee that no the user can not see analytic lines linked to move_lines without permisions, otherwise you can lead to access_read errors.
Author: [hidden] (yangoon) Tryton translator
Date: 2014-05-22.15:27:45
I agree to not classify this issue as security. Permissions =! Security, despite this can not serve as a general rule. This one for me is misconfiguration and only applies, if you have access to the server (i.e. you are allowed to log in).

@ced: Nevertheless please don't remove me from nosy, I prefer to receive all mails that relate to security subjects, even if they are classified otherwise later.
Author: [hidden] (albertca)
Date: 2014-05-22.15:25:03
Fair enough.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2014-05-22.01:19:55
For the record, any “missing” record rule or model access will never be a security issue because it is just configuration.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2014-05-22.01:14:00
I vote as not a security issue at all.
Author: [hidden] (albertca)
Date: 2014-05-22.00:17:24
I think we should add record rules for filtering the current company in account.move and account.move.line.

It is currently not an issue from the UI because the action to open account.move from the menu already filters by company but it can be considered a security issue because the user could get data using JSON-RPC for which he should be banned.
Date User Action Args
2021-09-23 15:00:01cedsetmessages: + msg70333
status: chatting -> closed
superseder: Remove company record rules
2019-07-07 11:44:37cedsetsuperseder: + Remove company record rules
2017-06-14 16:35:54reviewbotsetmessages: + msg34057
2017-06-14 16:07:46reviewbotsetnosy: + reviewbot
messages: + msg34056
2017-06-14 16:03:19pokolisetmessages: + msg34055
2017-06-14 15:55:49restevesetreviews: 39431002
nosy: + resteve
messages: + msg34054
keyword: + review
2014-05-22 17:12:38pokolisetnosy: + pokoli
messages: + msg16898
2014-05-22 15:27:45yangoonsetnosy: + yangoon
messages: + msg16896
2014-05-22 15:25:04albertcasetmessages: + msg16895
2014-05-22 01:19:56cedsetnosy: + ced
messages: + msg16890

Showing 10 items. Show all history (warning: this could be VERY long)