Odoo Addons (MOVED TO GITHUB)

print followup fails when can't read partner with id=1

Bug #789215 reported by Leonardo Pistone
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Odoo Addons (MOVED TO GITHUB)
Fix Released
Low
OpenERP Publisher's Warranty Team
Odoo Addons (MOVED TO GITHUB) 6.0.3

Bug Description

observed in v6
to reproduce, make sure that a user can't read partner with id = 1 (like assign it to another company, or set a security rule on res_partner to [('id','<>',1)].

Printing of a followup on any partner then fails.

thanks!

Related branches

lp://staging/~openerp-dev/openobject-addons/6.0-bug-777850-ado
Leonardo Pistone (community): Needs Fixing
Jay Vora (Serpent Consulting Services) (community): Approve
Priyesh (OpenERP): Pending requested
Diff: 87 lines (+28/-30)
1 file modified
account_followup/wizard/account_followup_print.py (+28/-30)
Revision history for this message
Jay Vora (Serpent Consulting Services) (jayvora) wrote :

Leonardo,

We completely agree that when queries are used statically, they do not respect record rules.

Can you share the traceback of this issue please?

It will lead to identify the problem well.

Thank you for finding out such issues.

This is really appreciable that you have been guiding the way to make the module stronger !

Changed in openobject-addons:
status: New → Incomplete
assignee: nobody → OpenERP Publisher's Warranty Team (openerp-opw)
Revision history for this message
Leonardo Pistone (lepistone) wrote :
Download full text (3.6 KiB)

Thanks Jay.

When clicking "print follow ups" I get the traceback below.

With a little debugging I found out that the partner that can't be read is the one with id=1.

In our customer's case, partner id=1 is the partner associated with the parent company. Users work on child companies and can't read data from the parent. That is correct. What is wrong is that the follow-up report tries to access it.

A simpler way to reproduce that (not a realistic one though) is to just prevent a user from accessing the partner with id=1. For example, with the security rule [('id','<>',1)] on res.partner.

Thanks!

[2011-05-30 18:01:12,685][apz_20110527] ERROR:web-services:[01]: Exception: (u'AccessError', u'Operation prohibited by access rules, or performed on an already deleted document (Operation: read, Document type: Partner).')
[2011-05-30 18:01:12,685][apz_20110527] ERROR:web-services:[02]: Traceback (most recent call last):
[2011-05-30 18:01:12,686][apz_20110527] ERROR:web-services:[03]: File "/home/leo/devel/src/v6/server/bin/service/web_services.py", line 724, in go
[2011-05-30 18:01:12,686][apz_20110527] ERROR:web-services:[04]: (result, format) = obj.create(cr, uid, ids, datas, context)
[2011-05-30 18:01:12,686][apz_20110527] ERROR:web-services:[05]: File "/home/leo/devel/src/v6/server/bin/report/report_sxw.py", line 428, in create
[2011-05-30 18:01:12,686][apz_20110527] ERROR:web-services:[06]: fnct_ret = fnct(cr, uid, ids, data, report_xml, context)
[2011-05-30 18:01:12,686][apz_20110527] ERROR:web-services:[07]: File "/home/leo/devel/src/v6/server/bin/report/report_sxw.py", line 491, in create_source_pdf
[2011-05-30 18:01:12,686][apz_20110527] ERROR:web-services:[08]: return self.create_single_pdf(cr, uid, ids, data, report_xml, context)
[2011-05-30 18:01:12,686][apz_20110527] ERROR:web-services:[09]: File "/home/leo/devel/src/v6/server/bin/report/report_sxw.py", line 505, in create_single_pdf
[2011-05-30 18:01:12,687][apz_20110527] ERROR:web-services:[10]: rml_parser.set_context(objs, data, ids, report_xml.report_type)
[2011-05-30 18:01:12,687][apz_20110527] ERROR:web-services:[11]: File "/home/leo/devel/src/v6/server/bin/report/report_sxw.py", line 372, in set_context
[2011-05-30 18:01:12,687][apz_20110527] ERROR:web-services:[12]: objects[0].exists() and 'company_id' in objects[0] and objects[0].company_id:
[2011-05-30 18:01:12,687][apz_20110527] ERROR:web-services:[13]: File "/home/leo/devel/src/v6/server/bin/osv/orm.py", line 292, in __getattr__
[2011-05-30 18:01:12,687][apz_20110527] ERROR:web-services:[14]: return self[name]
[2011-05-30 18:01:12,687][apz_20110527] ERROR:web-services:[15]: File "/home/leo/devel/src/v6/server/bin/osv/orm.py", line 205, in __getitem__
[2011-05-30 18:01:12,687][apz_20110527] ERROR:web-services:[16]: field_values = self._table.read(self._cr, self._uid, ids, field_names, context=self._context, load="_classic_write")
[2011-05-30 18:01:12,688][apz_20110527] ERROR:web-services:[17]: File "/home/leo/devel/src/v6/server/bin/osv/orm.py", line 2942, in read
[2011-05-30 18:01:12,688][apz_20110527] ERROR:web-services:[18]: result = self._read_flat(cr, user, select, fie...

Read more...

Revision history for this message
Jay Vora (Serpent Consulting Services) (jayvora) wrote :

We are evaluating https://code.launchpad.net/~openerp-dev/openobject-addons/6.0-bug-777850-ado/+merge/62656 and we will correct the bug there.
Thanks.

Jay Vora (Serpent Consulting Services) (jayvora)
Changed in openobject-addons:
status: Incomplete → Confirmed
importance: Undecided → Low
status: Confirmed → In Progress
milestone: none → 6.0.3
Revision history for this message
Jay Vora (Serpent Consulting Services) (jayvora) wrote :

Leonardo,

Thanks for reporting.

We would like to thank you for finding such errors for us.

It has been fixed in https://code.launchpad.net/~openerp-dev/openobject-addons/6.0-bug-777850-ado/+merge/62656. Can you please check?

The actual issue was, wizard was not sending right ID to report.

Thanks.

Changed in openobject-addons:
status: In Progress → Fix Committed
Revision history for this message
Jay Vora (Serpent Consulting Services) (jayvora) wrote :

Please find the backup of the database.
Main company user admin:a
Other company user al:a

Thanks.

Revision history for this message
Leonardo Pistone (lepistone) wrote :

Jay, thanks. I agree you db works when you press "add" and add a new partner.

However, if you create a new invoice with date 1/1/2011 that will be listed in the list automatically, and at that point if you press "print" you get an access error.

I admit, I find that a bit confusiong )

Revision history for this message
Jay Vora (Serpent Consulting Services) (jayvora) wrote :

Leonardo,

If possible, can you share your DB?

Did you mean that my DB still gives the error with the steps you mentioned?

Thanks.

Revision history for this message
Leonardo Pistone (lepistone) wrote :

Jay, here is a DB that I created with the following steps:

1. new DB, demo data install only accounting
2. add user "demo" to groups "accounting/manager" (do to followups) and "accounting/invoice" (to make invoices)
3. as demo, create and validate an invoice, date 1/1/2011
4. as admin, set the security rule [('id','<>',1)] to partner
5. as demo, send followups

get the usual error.

Also, from *your* database, I get an error even if I create a new invoice (date 1/1/2011) and send followups.

Thanks!

Revision history for this message
Amit Dodiya (OpenERP) (ado-openerp) wrote :

Leonardo,

This has nothing to do with account_followup.

How do you expect a user to be able to create/validate invoices or do similar trusted tasks on behalf of his company without being able to access basic data like the address of his company?

The user had the right to see partners, and he has the right to create invoices, but he would not have the right to read the name or address of his own company ??? This is somehow very confusing which we can say as a bad configuration.

In our database sent by Jay Vora(OpenERP), we double checked here and this particular bug 789215 has been fixed.

Your restriction would be nice for multicompany, but not for single company users.

Thanks.

Changed in openobject-addons:
status: Fix Committed → Fix Released
Revision history for this message
Leonardo Pistone (lepistone) wrote :

Amit,

I agree with you, my example situation doesn't make practical sense and I know that. It was just an attempt of mine to isolate the problem without having to explain the whole setup of my customer.

For that customer all started when I tried to give everyone access to the partner with id=1, and that workaround worked. So my example was just an attempt to over-simplify that to be able to speak easily. Not a very good example I agree, and sorry for that.

That said, the new code does work in the customer's real case which is good.

So before closing that bug, I have one last doubt, that is what I said in my last comment: we should check in Jay's DB what happens if we create and confirm an invoice for with date 1/1/2011 and then try to send followups.

Thanks!

Revision history for this message
Amit Dodiya (OpenERP) (ado-openerp) wrote :

Hello Leonardo,

There will be error only at the time when you select the partner which is of another company.

Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.