Any employee can access all leads

Hi Christophe,

Could you please elaborate on your bug report? I think you're familiar enough with the OpenERP framework to know that all of the following things are orthogonal:
- access rights (CRUD permissions on models a.k.a database tables)
- record rules (global or group-local per-record filtering rules)
- menu visibility (based on groups but not necessarily linked to access rights - you might not see a menu to something you can read)
- web client URL mapping to OpenERP actions (a desired feature is that URLs clearly and directly map to corresponding OpenERP actions and records)

Based on these premises, I assume you are only concerned about the default access rights and rules that are set for crm.lead records? (even though your description seems to focus on URL replay?)

The result you are describing in your report is the expected result, given the fact that the CRM module grant read access to all leads to all Employees by default. I agree that this may not be 100% consistent with the presence of the "User - See All Leads" Group, but this is only a default configuration setting - it should be reviewed just like all other access rights when setting up a new deployment.
Also keep in mind that Employees may only read the leads, but they may not modify them in any way - they need one of the "User - See XXX Leads" groups to do so.

We should not change this in stable versions, as many installations could depend on the current settings. If anyone is concerned about it and did not properly review the access right during deployment, they can still simply change the default access rights.

For 7.0 however it might be possible to drop this default access right on Employee and keep it exclusively on the "User - See XXX Leads" groups, provided this does not break anything else. Is that what you had in mind?

Thanks in advance for providing some more details on your bug report...

I consider this is a pure functional bug, hidden by default menu visibility configuration, and leading to a security issue in default installations. I mean security issue in term of internal confidentiality in a company.

There is a HR module, and there is a CRM module. Both correspond to different usecases, différent roles in the company, held by different teams with different permissions. An employee can be a salesman, but also an accountant, an engineer, a technician, a temporary employee, etc. He is not supposed to access any lead, unless explicitly allowed to do so by the Sales team. Ask *any* CEO if he would like *all* his employee to access by default all the upcoming Sales opportunities...

As you told it, the default behaviour is to let all employees access all leads. It really looks like a late and awkward justification of a broken default configuration :

If this is really intended, you should let the Leads and Opportunity menus be visible to everyone, otherwise it is a false impression of security for anyone. I'm curious to discover how many people are aware of this behaviour, may be we should ask on the community list?

If this is not intended, you should definitly close access to the leads when a user is not explicitly allowed.

[Expired for OpenERP Addons because there has been no activity for 60 days.]

Hi, it's been 5 months since this report, what's the eventual status? Is there any plan to do something? May I remove the private status?

Hello Christophe,

After further investigation, this was apparently changed in 6.1 at revision "<email address hidden>" where read access was granted by default to all Employees. I believe it was done because of the "History" tab that shows related Leads/Opportunities on the Customer form, which would make the form view crash for normal employees, even if the tab was hidden by a "groups" attribute.

The Leads have been removed from the History tab in 7.0 (replaced by a button to open the list) so we can simply drop this useless extra right. For 6.1 you could workaround this by adding an extra access rule on Leads to the Employee group, similarly to the one of the "Sales/See Own Leads" group. This effectively makes the "Sales/See Own Leads" group redundant with the "Employee" group, but at least provides a correct security control: normal employees will only see leads assigned to them - presumably none.

PS: I dropped the "Private" flag on the bug.

The removal of the incorrect access rights for CRM Leads/Opportunities and Phonecalls was applied in addons 7.0 at revision 8927 (rev-id: <email address hidden>).

For OpenERP 6.1, see the workaround suggested in comment #5.

Thanks for your patience and your detailed bug report!