browse_record prefetching may cause spurious `Access Denied` errors (e.g. after refresh())
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Fix Released
|
Medium
|
OpenERP's Framework R&D |
Bug Description
To reproduce:
Create a database with two companies, with company B the parent company of company A. Create user for company A.
Set a pdb hook at any point. Trigger the interactive console in a session of the created user. Type the following, where '1' is the id of company A, the company of the current user.
(Pdb) co = self.pool.
(Pdb) co._data.keys()
[1]
(Pdb) co.name
u'Your Company'
(Pdb) co.refresh()
(Pdb) co._data.keys()
[1, 3]
(Pdb) co.name
*** except_orm: (u'Access Denied', u'The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
Analysis:
You see in the output of the interactive session that the id of the parent company ends up in the browse record _data dictionary. When you read out the name of the company again, an attempt will be made to read all the companies in this dictionary. This will lead to an access error because the user does not have permisions on the parent company.
Related branches
- OpenERP Core Team: Pending requested
-
Diff: 36 lines (+12/-0)1 file modifiedopenerp/osv/orm.py (+12/-0)
- OpenERP Core Team: Pending requested
-
Diff: 373958 lines (+265478/-2426) (has conflicts)80 files modifiedopenerp/addons/base/i18n/ab.po (+15185/-0)
openerp/addons/base/i18n/af.po (+1266/-22)
openerp/addons/base/i18n/am.po (+1496/-36)
openerp/addons/base/i18n/ar.po (+1361/-25)
openerp/addons/base/i18n/bg.po (+1287/-24)
openerp/addons/base/i18n/bs.po (+1522/-6)
openerp/addons/base/i18n/ca.po (+1511/-31)
openerp/addons/base/i18n/cs.po (+3353/-84)
openerp/addons/base/i18n/da.po (+1312/-22)
openerp/addons/base/i18n/de.po (+1933/-23)
openerp/addons/base/i18n/el.po (+1217/-23)
openerp/addons/base/i18n/en_GB.po (+1756/-27)
openerp/addons/base/i18n/es.po (+1759/-24)
openerp/addons/base/i18n/es_AR.po (+1223/-23)
openerp/addons/base/i18n/es_BO.po (+15186/-0)
openerp/addons/base/i18n/es_CL.po (+1273/-24)
openerp/addons/base/i18n/es_CR.po (+1510/-30)
openerp/addons/base/i18n/es_DO.po (+15760/-0)
openerp/addons/base/i18n/es_EC.po (+1325/-22)
openerp/addons/base/i18n/es_MX.po (+15188/-0)
openerp/addons/base/i18n/es_VE.po (+15214/-0)
openerp/addons/base/i18n/et.po (+1796/-34)
openerp/addons/base/i18n/eu.po (+1265/-22)
openerp/addons/base/i18n/fa.po (+2311/-49)
openerp/addons/base/i18n/fa_AF.po (+1265/-22)
openerp/addons/base/i18n/fi.po (+1391/-22)
openerp/addons/base/i18n/fr.po (+1556/-26)
openerp/addons/base/i18n/fr_CA.po (+15186/-0)
openerp/addons/base/i18n/gl.po (+1602/-32)
openerp/addons/base/i18n/gu.po (+15244/-0)
openerp/addons/base/i18n/he.po (+1551/-27)
openerp/addons/base/i18n/hi.po (+15186/-0)
openerp/addons/base/i18n/hr.po (+2011/-45)
openerp/addons/base/i18n/hu.po (+3694/-49)
openerp/addons/base/i18n/hy.po (+3751/-66)
openerp/addons/base/i18n/id.po (+1273/-20)
openerp/addons/base/i18n/is.po (+1299/-23)
openerp/addons/base/i18n/it.po (+2478/-56)
openerp/addons/base/i18n/ja.po (+1467/-26)
openerp/addons/base/i18n/ka.po (+17112/-0)
openerp/addons/base/i18n/kk.po (+1245/-22)
openerp/addons/base/i18n/ko.po (+8199/-201)
openerp/addons/base/i18n/lt.po (+3074/-80)
openerp/addons/base/i18n/lv.po (+1456/-32)
openerp/addons/base/i18n/mk.po (+6766/-192)
openerp/addons/base/i18n/mn.po (+1540/-24)
openerp/addons/base/i18n/nb.po (+1251/-23)
openerp/addons/base/i18n/nl.po (+1198/-13)
openerp/addons/base/i18n/nl_BE.po (+1266/-22)
openerp/addons/base/i18n/pl.po (+2717/-52)
openerp/addons/base/i18n/pt.po (+2109/-43)
openerp/addons/base/i18n/pt_BR.po (+6256/-52)
openerp/addons/base/i18n/ro.po (+2750/-42)
openerp/addons/base/i18n/ru.po (+1593/-28)
openerp/addons/base/i18n/sk.po (+1254/-24)
openerp/addons/base/i18n/sl.po (+4354/-85)
openerp/addons/base/i18n/sq.po (+1265/-22)
openerp/addons/base/i18n/sr.po (+1238/-24)
openerp/addons/base/i18n/sr@latin.po (+1429/-27)
openerp/addons/base/i18n/sv.po (+1357/-25)
openerp/addons/base/i18n/th.po (+5381/-149)
openerp/addons/base/i18n/tlh.po (+1265/-22)
openerp/addons/base/i18n/tr.po (+3194/-74)
openerp/addons/base/i18n/uk.po (+1236/-23)
openerp/addons/base/i18n/ur.po (+1265/-22)
openerp/addons/base/i18n/vi.po (+1479/-16)
openerp/addons/base/i18n/zh_CN.po (+1866/-36)
openerp/addons/base/i18n/zh_HK.po (+1256/-22)
openerp/addons/base/i18n/zh_TW.po (+2600/-56)
openerp/addons/base/ir/ir_cron.py (+226/-0)
openerp/addons/base/ir/ir_filters.py (+7/-0)
openerp/addons/base/ir/ir_mail_server.py (+17/-1)
openerp/addons/base/ir/ir_translation.py (+30/-6)
openerp/addons/base/security/base_security.xml (+6/-0)
openerp/addons/base/security/ir.model.access.csv (+6/-1)
openerp/osv/orm.py (+8/-0)
openerp/osv/osv.py (+206/-0)
openerp/report/report_sxw.py (+10/-0)
openerp/tools/convert.py (+5/-0)
setup.py (+23/-0)
summary: |
Access denied after refresh of a res.company browse record with parent - companyefresh() + company |
summary: |
- Access denied after refresh of a res.company browse record with parent - company + browse_record prefetching may cause spurious `Access Denied` errors + (e.g. after refresh()) |
Hi Twinkle Christian,
you marked this bug as a duplicate of lp:1212429. However, according to the suggested fix the problem there is merely that a lookup is performed to the warehouse with id 'stock.warehouse0', which could belong to a different company than the current company of the user. This bug concerns a fundamental flaw in the browse record cache. I am unmarking the duplicate.