Any employee can access all leads
Bug #1066580 reported by
Christophe Combelles
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Addons (MOVED TO GITHUB) |
Fix Released
|
Medium
|
OpenERP R&D Addons Team 1 |
Bug Description
How to reproduce :
- create a fresh database using either 6.1-1 or latest nightly. (I tested with the FR_fr locale)
- install the CRM
- create an opportunity
- open the form view of this opportunity.
- copy the URL of this form view. It should look like
- create a new user, un-check all permissions, only keep HR : Employee
- log-out from admin
- log in using the new account
Open the same URL :
=> The user has access to the lead. He can also open any other view.
Changed in openobject-addons: | |
status: | Expired → New |
To post a comment you must log in.
Hi Christophe,
Could you please elaborate on your bug report? I think you're familiar enough with the OpenERP framework to know that all of the following things are orthogonal:
- access rights (CRUD permissions on models a.k.a database tables)
- record rules (global or group-local per-record filtering rules)
- menu visibility (based on groups but not necessarily linked to access rights - you might not see a menu to something you can read)
- web client URL mapping to OpenERP actions (a desired feature is that URLs clearly and directly map to corresponding OpenERP actions and records)
Based on these premises, I assume you are only concerned about the default access rights and rules that are set for crm.lead records? (even though your description seems to focus on URL replay?)
The result you are describing in your report is the expected result, given the fact that the CRM module grant read access to all leads to all Employees by default. I agree that this may not be 100% consistent with the presence of the "User - See All Leads" Group, but this is only a default configuration setting - it should be reviewed just like all other access rights when setting up a new deployment.
Also keep in mind that Employees may only read the leads, but they may not modify them in any way - they need one of the "User - See XXX Leads" groups to do so.
We should not change this in stable versions, as many installations could depend on the current settings. If anyone is concerned about it and did not properly review the access right during deployment, they can still simply change the default access rights.
For 7.0 however it might be possible to drop this default access right on Employee and keep it exclusively on the "User - See XXX Leads" groups, provided this does not break anything else. Is that what you had in mind?
Thanks in advance for providing some more details on your bug report...