Tryton - Issues



Title Missing record rules for account.move and account.move.line
Priority feature Status chatting
Superseder Remove company record rules
View: 4080
Nosy List albertca, ced, pokoli, resteve, reviewbot, yangoon
Type behavior Components
Assigned To Keywords review
Reviews 39431002
View: 39431002

Created on 2014-05-22.00:17:25 by albertca, last changed by ced.

review39431002 updated at
review39431002 updated at
msg34055 (view) Author: [hidden] (pokoli) (Tryton committer) (Tryton translator) Date: 2017-06-14.16:03:19
Indeed the plan is to remove them. See issue4080
msg34054 (view) Author: [hidden] (resteve) Date: 2017-06-14.15:55:49
msg16898 (view) Author: [hidden] (pokoli) (Tryton committer) (Tryton translator) Date: 2014-05-22.17:12:37
Regarding the use, we sould take in account analytic_lines (see issue3878) it has a dependency with account.move.line, so at least we have to guarantee that no the user can not see analytic lines linked to move_lines without permisions, otherwise you can lead to access_read errors.
msg16896 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2014-05-22.15:27:45
I agree to not classify this issue as security. Permissions =! Security, despite this can not serve as a general rule. This one for me is misconfiguration and only applies, if you have access to the server (i.e. you are allowed to log in).

@ced: Nevertheless please don't remove me from nosy, I prefer to receive all mails that relate to security subjects, even if they are classified otherwise later.
msg16895 (view) Author: [hidden] (albertca) (Tryton committer) Date: 2014-05-22.15:25:03
Fair enough.
msg16890 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2014-05-22.01:19:55
For the record, any “missing” record rule or model access will never be a security issue because it is just configuration.
msg16889 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2014-05-22.01:14:00
I vote as not a security issue at all.
msg16888 (view) Author: [hidden] (albertca) (Tryton committer) Date: 2014-05-22.00:17:24
I think we should add record rules for filtering the current company in account.move and account.move.line.

It is currently not an issue from the UI because the action to open account.move from the menu already filters by company but it can be considered a security issue because the user could get data using JSON-RPC for which he should be banned.
Date User Action Args
2019-07-07 11:44:37cedsetsuperseder: + Remove company record rules
2017-06-14 16:35:54reviewbotsetmessages: + msg34057
2017-06-14 16:07:46reviewbotsetnosy: + reviewbot
messages: + msg34056
2017-06-14 16:03:19pokolisetmessages: + msg34055
2017-06-14 15:55:49restevesetreviews: 39431002
nosy: + resteve
messages: + msg34054
keyword: + review
2014-05-22 17:12:38pokolisetnosy: + pokoli
messages: + msg16898
2014-05-22 15:27:45yangoonsetnosy: + yangoon
messages: + msg16896
2014-05-22 15:25:04albertcasetmessages: + msg16895
2014-05-22 01:19:56cedsetnosy: + ced
messages: + msg16890
2014-05-22 01:15:38cedsetpriority: bug -> feature
nosy: - ced, bch, yangoon, nicoe, sharkcz, daniel, ajacoutot
type: security -> behavior

Showing 10 items. Show all history (warning: this could be VERY long)