Tryton - Issues

 

Issue5570

Title Missing model access for "Product - BOM"
Priority bug Status resolved
Superseder Nosy List ajacoutot, bch, ced, nicoe, pokoli, roundup-bot, sharkcz, yangoon
Type security Components production
Assigned To ced Keywords review
Reviews 26301002
View: 26301002

Created on 2016-05-23.11:47:04 by ced, last changed by roundup-bot.

Messages
New changeset e4f6962ef03b by C?dric Krier in branch 'default':
Security Announce for issue5570
http://hg.tryton.org/www.tryton.org/rev/e4f6962ef03b
msg26344 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-06-15.16:58:11
Pushed in r 05d15c329f47
msg26283 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-06-14.15:48:46
Here is the announce: review23211002
msg25948 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-05-24.11:35:35
But we want to let user customize it. Also XML override is bad practice, it breaks the modularity.
msg25947 (view) Author: [hidden] (pokoli) (Tryton committer) Date: 2016-05-24.11:26:45
AFAIK you can always override (via xml) the values of the explicity access, so its always possible to restrict the access in third party modules.
msg25945 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-05-24.10:51:59
I don't think it is good because it will prevent users to customize to restrict access.
msg25944 (view) Author: [hidden] (pokoli) (Tryton committer) Date: 2016-05-24.10:37:19
El 23/05/16 a les 17:30, Cédric Krier ha escrit:
> Cédric Krier<cedric.krier@b2ck.com>  added the comment:
> 
> On 2016-05-23 17:03, Sergi Almacellas Abellana wrote:
>> >On the other hand I think we need a test to avoid such type of errors, so we can ensure that no other models are affected.
> But there are valid cases where no access rights is correct.
For sure, but in these case I think it is better to explicitly give all access to all users.
msg25938 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-05-23.17:30:11
On 2016-05-23 17:03, Sergi Almacellas Abellana wrote:
> On the other hand I think we need a test to avoid such type of errors, so we can ensure that no other models are affected.

But there are valid cases where no access rights is correct.
msg25937 (view) Author: [hidden] (pokoli) (Tryton committer) Date: 2016-05-23.17:03:50
I agree on the security release, so for me the news are enough. 

On the other hand I think we need a test to avoid such type of errors, so we can ensure that no other models are affected.
msg25934 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-05-23.11:56:22
Here is review26301002
msg25933 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-05-23.11:53:04
Indeed I think it is better to give the same model rights as the BOM.
msg25932 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-05-23.11:47:03
There are no model access for "product.product-production.bom", I think it should have the same as "product.product".

I marked as security but I'm not sure if it requires a security release.
I think just a post on the news with explanation on how to create the missing model access manually should be enough.
History
Date User Action Args
2016-06-17 11:18:52roundup-botsetnosy: + roundup-bot
messages: + msg26378
2016-06-15 16:58:12cedsetstatus: testing -> resolved
messages: + msg26344
2016-06-14 15:48:46cedsetmessages: + msg26283
2016-05-24 11:35:36cedsetmessages: + msg25948
2016-05-24 11:26:45pokolisetmessages: + msg25947
2016-05-24 10:51:59cedsetmessages: + msg25945
2016-05-24 10:37:20pokolisetmessages: + msg25944
2016-05-23 17:30:12cedsetmessages: + msg25938
2016-05-23 17:03:52pokolisetmessages: + msg25937
2016-05-23 11:56:23cedsetstatus: chatting -> testing
reviews: 26301002
messages: + msg25934
keyword: + review
assignedto: ced

Showing 10 items. Show all history (warning: this could be VERY long)