[Erp5-dev] security problems in related objects

[Bartek Gorny]

Hi

It seems there is a security-related problem in jumps between related
objects: if there is a relation between A and B, then you can set up
an "object_jump" action to be able to jump from B to A, and there is a
stock script Base_jumpToRelatedObject to do that. But, the script uses
".get*RelatedList" accessor which is security-unaware. The result is
that if A is not viewable to the current user the click on the jump
action raises Unauthorized, and the browser pops up a login box.

I remember that two years ago I found a similar problem but from the
other side - that if there was a relation from A to B, A's form
contained a relation stringfield to B and B was not viewable then the
form would raise Unauthorized. I then submitted a patch, and later
Romain fixed it. But the problem persists at the other end of the
relation. I could hack around it, but I think it is worth fixing in
the trunk - the security system is one of the most powerful features
of ERP5...

Bartek

-- 
"Software is largely a service industry operating under the persistent
but unfounded delusion that it is a manufacturing industry."
Eric S.Raymond, "The Magic Cauldron"