Tryton - Issues

 

Issue6115

Title Duplicating a product requires "administration" permission
Priority bug Status resolved
Superseder Nosy List ced, nblock, pokoli, reviewbot, roundup-bot
Type behavior Components
Assigned To pokoli Keywords review
Reviews 34541002
View: 34541002

Created on 2016-12-14.15:40:44 by nblock, last changed by roundup-bot.

Messages
New changeset cf33acb1c862 by Sergi Almacellas Abellana in branch '4.2':
Read translations without checking access
http://hg.tryton.org/trytond/rev/cf33acb1c862
New changeset fa0fe05fbdb4 by Sergi Almacellas Abellana in branch 'default':
Read translations without checking access
http://hg.tryton.org/trytond/rev/fa0fe05fbdb4

New changeset 97775c0c172e by Sergi Almacellas Abellana in branch 'default':
Add test about editing and coping translations without admin access
http://hg.tryton.org/trytond/rev/97775c0c172e
review34541002 updated at https://codereview.tryton.org/34541002/#ps40001
review34541002 updated at https://codereview.tryton.org/34541002/#ps20001
msg30744 (view) Author: [hidden] (pokoli) (Tryton committer) Date: 2016-12-14.16:34:25
> @pokoli what makes this behaviour changed?

It think is a side-efect of changeset de90bf5435ce which introduced the instances to save, but they were not browsed with the _check_access set to False. 

I updated the review with the proper fix. 
> 
> I think having access to ir.translation using rule will be too much complex also for some type it is not clear what will be the rule. I think it is easier to keep it like this but even I think we should remove also the read access to anyone because translation could contain sensible data.

Ok, so lets keep the access rule.
New review34541002 at https://codereview.tryton.org/34541002/#ps1
msg30742 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2016-12-14.16:00:56
@pokoli what makes this behaviour changed?

I think having access to ir.translation using rule will be too much complex also for some type it is not clear what will be the rule. I think it is easier to keep it like this but even I think we should remove also the read access to anyone because translation could contain sensible data.
msg30741 (view) Author: [hidden] (nblock) Date: 2016-12-14.15:57:28
The proposed fix allows to duplicate the dataset. Editing any translatable field yields the same error message.
msg30740 (view) Author: [hidden] (pokoli) (Tryton committer) Date: 2016-12-14.15:51:45
Here is review34541002 which fixes it.

But I'm wondering if we should remove the translation access rule for new version and let the user modify any translations he has access to.
msg30739 (view) Author: [hidden] (nblock) Date: 2016-12-14.15:40:44
Since Tryton 4.2 the permission "administration" is required to duplicate a product. The user has the "product administration" permission set. If the "administration" permission is not present, the following error message is shown: "You can not write in this document! (ir.translation)".

Obviously, the "administration" permission should not be required to duplicate a dataset.
History
Date User Action Args
2016-12-30 22:17:27roundup-botsetmessages: + msg31059
2016-12-19 09:42:44roundup-botsetstatus: in-progress -> resolved
nosy: + roundup-bot
messages: + msg30807
2016-12-14 17:55:41reviewbotsetmessages: + msg30748
2016-12-14 16:35:38reviewbotsetmessages: + msg30745
2016-12-14 16:34:25pokolisetmessages: + msg30744
2016-12-14 16:05:44reviewbotsetnosy: + reviewbot
messages: + msg30743
2016-12-14 16:05:43reviewbotsetreviews: 34541002
keyword: + review
2016-12-14 16:00:57cedsetnosy: + ced
messages: + msg30742
2016-12-14 15:57:28nblocksetmessages: + msg30741
2016-12-14 15:51:45pokolisetmessages: + msg30740

Showing 10 items. Show all history (warning: this could be VERY long)