[Erp5-dev] Bug - security exception when related object is not accessible
Romain Courteaud
romain at nexedi.com
Tue Jul 8 12:08:10 CEST 2008
* bartek [2008-07-08 11:35:32 +0200]:
> Hello,
Hello,
> About five months ago I found something that I think classifies as a
> bug: if a form contains a relation field relating to an object a user is
> not authorized to view, then an attempt to view the form raises
> Unauthorized, so in effect the object becomes inaccessible.
I also thought it was a bug.
> I wrote a test for it, which shows the problem - it is in core test
> suite (ERP5Form/tests/testGUIwithSecurity.py). It has been there since
> March, and it used to be run by the test runner, but since mid-May it is
> not executed anymore, for reasons I don't know.
I think this test is still executed, but there is no error anymore since:
http://mail.nexedi.com/pipermail/erp5-report/2008-May/021779.html
> There is also a proposed patch for it, in the experimental repo - it is
> open for discussion if the Unauthorized errors should be handled by the
> fields or by the accessors.
A fix was applied in http://svn.erp5.org/?view=rev&revision=20988 (which
is a bit different from the experimental patch).
Regards,
Romain
More information about the Erp5-dev
mailing list