[C2c-oerpscenario] [Bug 657013] Re: Several security flaws

Tue, 28 Dec 2010 08:21:40 -0800 

** Changed in: openobject-server
       Status: Triaged => Incomplete

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/657013

Title:
  Several security flaws

Status in OpenObject Server:
  Incomplete

Bug description:
  Any user that must be able to create a document with a workflow such as 
'sale.order' must have write/create rights on workflow item and instance 
models. This means the user will be able to modify the workflow step of any 
document in the system such as invoices even if he has no rights on invoices. 
This will desynchronize model's 'state' field with the workflow step leaving a 
messy system.

'ir.attachment' already has this point solved so the same solution should be 
applied here for 'instance' and 'workitem' models.

I think similar issues apply to other models that affect the way OpenERP works 
(haven't deeply checked them):

- In 'ir.rule': one must give read access to 'ir.rule' to all users. Do we 
really want to let users know what restrictions are being applied to them?
- In 'ir.property': Isn't it possible for any user access any information only 
because it must be given read access to 'ir.property' model?
- In 'ir.sequence': If a user must have access to a sequence to create 
'sale.order', he will have access to other sequences as well. (Right, you can 
create rules for that but it really is not sensible to ask that to 
administrator).
- In 'ir.default': Do we want to let users see what other users set as default 
value for themselves?
- In 'ir.model.access': Do we want to let users see what other users are 
allowed to see and what not?
- In 'ir.translation': We're letting any user read and probably overwrite 
information of data they may not be allowed to access.

And basically any model that is given at least read access to all users should 
be analyzed.



_______________________________________________
Mailing list: https://launchpad.net/~c2c-oerpscenario
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~c2c-oerpscenario
More help   : https://help.launchpad.net/ListHelp

Reply via email to