Tryton - Issues

 

Issue9108

Title Wizard with no access rules doesn't inherit model access rules by default
Priority bug Status resolved
Superseder Nosy List bch, ced, mrichez, nicoe, pokoli, reviewbot, roundup-bot, sharkcz, tbruyere, yangoon
Type security Components trytond
Assigned To ced Keywords review
Reviews 261041002, 274961002
View: 261041002, 274961002

Created on 2020-03-03.11:07:47 by mrichez, last changed by roundup-bot.

Messages
New changeset ed12abd7a4c4 by Cédric Krier in branch 'default':
Add purchase scenario user to purchase request group
https://hg.tryton.org/tryton-env/rev/ed12abd7a4c4
New changeset 591f0351b359 by Cédric Krier in branch 'default':
Add purchase scenario user to purchase request group
https://hg.tryton.org/modules/stock_supply/rev/591f0351b359
New changeset 0e4e05e17df9 by Cédric Krier in branch 'default':
Add purchase scenario user to purchase request group
https://hg.tryton.org/modules/purchase_request/rev/0e4e05e17df9
New review274961002 at https://codereview.tryton.org/274961002/#ps258941002
New changeset 21aa4b0a5fa3 by Cédric Krier in branch 'default':
Enable check_access context when checking wizard access
https://hg.tryton.org/tryton-env/rev/21aa4b0a5fa3
msg56033 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-03-04.00:19:42
I propose to make the security release on 9th March about 18:00 CET and publish new the 10th March at 18:00 CET.
msg56023 (view) Author: [hidden] (mrichez) Date: 2020-03-03.11:38:56
LGTM
msg56022 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-03-03.11:33:07
Here is review261041002. The issue was introduced in rev a382ef9185e7.
msg56019 (view) Author: [hidden] (mrichez) Date: 2020-03-03.11:07:46
Purchase_request_quotation module add a new wizard on purchase_request. There's no access rules defined on this wizard. When using a user only with read access on purchase_request and purchase_request_quotation, you can still execute wizard.
I opened another issue to add missing rights access (https://bugs.tryton.org/issue9029) but wizard should herit access right of the underlying model.

I made some tests, problem seems in this test:
https://hg.tryton.org/trytond/file/default/trytond/ir/model.py#l559

With non-root user, IF result is True (raise_exception = True and Transaction().context.get('_check_access') is None)
History
Date User Action Args
2020-03-11 15:18:42roundup-botsetmessages: + msg56217
2020-03-11 15:18:31roundup-botsetmessages: + msg56215
2020-03-11 15:18:22roundup-botsetstatus: chatting -> resolved
messages: + msg56213
2020-03-10 10:32:37reviewbotsetstatus: resolved -> chatting
messages: + msg56172
2020-03-10 10:32:37reviewbotsetreviews: 261041002 -> 261041002, 274961002
2020-03-09 18:49:07roundup-botsetstatus: testing -> resolved
messages: + msg56157
2020-03-04 00:19:43cedsetmessages: + msg56033
2020-03-04 00:18:17cedsettitle: Wizard with no access rules doesn't herit model access rules by default -> Wizard with no access rules doesn't inherit model access rules by default
2020-03-03 11:53:38cedunlinkissue9029 superseder
2020-03-03 11:43:14cedlinkissue9029 superseder

Showing 10 items. Show all history (warning: this could be VERY long)