** Changed in: openobject-server
Importance: Undecided => Medium
** Changed in: openobject-server
Milestone: 6.0 => 6.0-rc2
** Changed in: openobject-server
Assignee: (unassigned) => OpenERP's Framework R&D (openerp-dev-framework)
--
ORM: search should return empty list when meeting a NULL many2one in the middle
of the evaluation of a chained domain expression.
https://bugs.launchpad.net/bugs/598454
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
Status in OpenObject Server: Confirmed
Bug description:
Search should return empty list when meeting a NULL many2one in the middle of
the evaluation of a chained domain expression.
Given the record rule domain:
[('employee_id.department_id.manager_id.user_id.id', '=', user.id)]
Without the patch, the domain also matches objects whose employee is not in a
department, i.e. it explicitly searches for object for which
'employee_id.department_id IS NULL'.
This behavior is a security risk (potential information leakage).
I guess there could be a better way than my patch to handle this.
_______________________________________________
Mailing list: https://launchpad.net/~c2c-oerpscenario
Post to : [email protected]
Unsubscribe : https://launchpad.net/~c2c-oerpscenario
More help : https://help.launchpad.net/ListHelp
