[Erp5-dev] security problems in related objects

[Bartek Gorny]

Hello

So, what's the status of this bug? Is it "worksforme", or "doesn't
matter", or what?

Bartek

2010/1/21 Bartek Gorny <bartek at gorny.edu.pl>:
> Hi
>
> It seems there is a security-related problem in jumps between related
> objects: if there is a relation between A and B, then you can set up
> an "object_jump" action to be able to jump from B to A, and there is a
> stock script Base_jumpToRelatedObject to do that. But, the script uses
> ".get*RelatedList" accessor which is security-unaware. The result is
> that if A is not viewable to the current user the click on the jump
> action raises Unauthorized, and the browser pops up a login box.
>
> I remember that two years ago I found a similar problem but from the
> other side - that if there was a relation from A to B, A's form
> contained a relation stringfield to B and B was not viewable then the
> form would raise Unauthorized. I then submitted a patch, and later
> Romain fixed it. But the problem persists at the other end of the
> relation. I could hack around it, but I think it is worth fixing in
> the trunk - the security system is one of the most powerful features
> of ERP5...
>
> Bartek
>
> --
> "Software is largely a service industry operating under the persistent
> but unfounded delusion that it is a manufacturing industry."
> Eric S.Raymond, "The Magic Cauldron"
>



-- 
"Software is largely a service industry operating under the persistent
but unfounded delusion that it is a manufacturing industry."
Eric S.Raymond, "The Magic Cauldron"