Hi, To answer your question, the `groups` attribute that you can put on fields will restrict its visibility (in the UI) to only members of the named groups. It's not deprecated, and may be a comma-separated list of groups, in which case it will be visible to users of all the mentioned groups. This is by no means a security mechanism (hence this is not a security bug), it's only present to customize views, and will not enforce any per-field access restriction. You can use it in the python declaration to make it global, or put it in any view, for local effect.
Now you're right, the correct ID of the group is 'share.group_share_user'. However this is of no consequence here, because the 'share' field is not displayed in users/groups form/list views at all, it's an internal flag to track 'share users'. And it's simply not included in any form/list view, so that's fine. It should only be in the search view, along with the special 'no_share' filter used to hide 'share_users' by default, and visible by everyone. The unnecessary and incorrect `groups` attributes should still be removed, as they're just confusing. This was done in trunk at revision 5239 revid: [email protected] Thanks for reporting! ** Changed in: openobject-addons Importance: Undecided => Low ** Changed in: openobject-addons Status: New => Fix Released ** Changed in: openobject-addons Milestone: None => 6.1 ** Changed in: openobject-addons Assignee: (unassigned) => OpenERP's Framework R&D (openerp-dev-framework) ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of C2C OERPScenario, which is subscribed to OpenERP Project Group. https://bugs.launchpad.net/bugs/863089 Title: users share field group access incorrect Status in OpenERP Addons (modules): Fix Released Bug description: In the module 'share', in the file 'res_users.py' : In both 'share' field definitions (res.groups and res.users) is the attribute: groups='share.group_share' However, this group is not declared anywhere in the 'share' module. I can see the ID 'group_share_user' in the security file. I think this should be used in the 'share' fields. I found this bug in the addons of OpenERP: branch: http://bazaar.launchpad.net/~openerp/openobject-addons/6.0/ revno: 4821 (i did not search for other branches, revisions or whatever). I found this bug because I wanted to learn how the 'groups' attribute on 'fields' works. There is little documentation about this. Might it be deprecated??? To manage notifications about this bug go to: https://bugs.launchpad.net/openobject-addons/+bug/863089/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~c2c-oerpscenario Post to : [email protected] Unsubscribe : https://launchpad.net/~c2c-oerpscenario More help : https://help.launchpad.net/ListHelp
