Oh - my mistake, I see, again when I am not talking up to your official mind, I am wrong... :).
These are just about one half of the problem: http://openerp.com/forum/topic7743.html http://openerp.com/forum/topic6389.html http://openerp.com/forum/topic2449.html http://openerp.com/forum/topic4213.html http://openerp.com/forum/topic3725.html http://openerp.com/forum/topic896.html I tried to secure OpenERP, not to allow one user to read info not intended him to see. There are 2 things that should be done - remove access to the menu's and to the models that user should not access. But there is one model that could not be restricted - res.users. If we restrict this medel to let's say admin, no one else are able to log in. And this is where still plaintext password lives. I am very sorry not to find anymore the topic where Fabien himself have proposed a patch - as I remember more or less working python code snippet to replace a password field with hashed result. But anyway these bugs are well known, but are not implemented. (I do not know of 5th version, have not tried yet.) Ok, I tried to build a small perl script (I like this language, and consider it more mature), which logs in as unprivileged user through XML-RPC connection and reads unrestricted res.users model. And this is where you can find any and every login information. This is true and tried by myself. Why I have not submitted a patch for this? There are several reasons for this, and you can find them in my other posts. Anyway there are not only me who thinks, that there should be paid more attention to maturity and stability not only new features. Recently I discovered a fork for this system called (could be found on tryton.org) Tryton, which aims to fix these issues. This is their policy, do not know how well they are at implementing it, have not tried it yet, although they have a release. But to me this is clear result for lack of respect and attention to an ordinary contributor, remember German translations and contributions. Ah well, they were wrong too. :) Though this absolutely is not good to divide force. P.S. It should be better if such advocates as gegard would spend a little more time to test not just blindly oppose. Just think, who would spend time to discover things like this, if one would be "fake"? Good day! -sraps -------------------- m2f -------------------- -- http://www.openerp.com/forum/viewtopic.php?p=27254#27254 -------------------- m2f -------------------- _______________________________________________ Tinyerp-users mailing list http://tiny.be/mailman/listinfo/tinyerp-users
