[Erp5-dev] Bug - security exception when related object is not accessible

[bartek]

Hello,

About five months ago I found something that I think classifies as a
bug: if a form contains a relation field relating to an object a user is
not authorized to view, then an attempt to view the form raises
Unauthorized, so in effect the object becomes inaccessible.

I wrote a test for it, which shows the problem - it is in core test
suite (ERP5Form/tests/testGUIwithSecurity.py). It has been there since
March, and it used to be run by the test runner, but since mid-May it is
not executed anymore, for reasons I don't know.

There is also a proposed patch for it, in the experimental repo - it is
open for discussion if the Unauthorized errors should be handled by the
fields or by the accessors.

Bartek

-- 
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"