[Erp5-dev] Bug - security exception when related object is not accessible
bartek
bartek at erp5.pl
Tue Jul 8 12:16:13 CEST 2008
Romain Courteaud wrote:
> * bartek [2008-07-08 11:35:32 +0200]:
>
>> Hello,
>
> Hello,
>
>> About five months ago I found something that I think classifies as a
>> bug: if a form contains a relation field relating to an object a user is
>> not authorized to view, then an attempt to view the form raises
>> Unauthorized, so in effect the object becomes inaccessible.
>
> I also thought it was a bug.
>
>> I wrote a test for it, which shows the problem - it is in core test
>> suite (ERP5Form/tests/testGUIwithSecurity.py). It has been there since
>> March, and it used to be run by the test runner, but since mid-May it is
>> not executed anymore, for reasons I don't know.
>
> I think this test is still executed, but there is no error anymore since:
> http://mail.nexedi.com/pipermail/erp5-report/2008-May/021779.html
>
>> There is also a proposed patch for it, in the experimental repo - it is
>> open for discussion if the Unauthorized errors should be handled by the
>> fields or by the accessors.
>
> A fix was applied in http://svn.erp5.org/?view=rev&revision=20988 (which
> is a bit different from the experimental patch).
Ooops - sorry, I missed it. If you told me you did it, I'd have removed
the experimental patch, now it is duplicating.
Bartek
>
> Regards,
> Romain
> _______________________________________________
> Erp5-dev mailing list
> Erp5-dev at erp5.org
> http://mail.nexedi.com/mailman/listinfo/erp5-dev
>
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
More information about the Erp5-dev
mailing list