Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Master,11,10,9,8][Security] model.transient : read_group() and read() have access of all records of all user #19904

Closed
fmdl opened this issue Oct 5, 2017 · 1 comment
Closed

[Master,11,10,9,8][Security] model.transient : read_group() and read() have access of all records of all user #19904

fmdl opened this issue Oct 5, 2017 · 1 comment
Labels
10.0

Comments

@fmdl
Copy link
Contributor

fmdl commented Oct 5, 2017
edited

Impacted versions:
master, 11, 10, 9, 8

Steps to reproduce:

  • use SQL code to generate lines on transient model, with create_uid = 1.
  • connect with an other uid
  • go on the tree view of this model
  • you see no record
  • BUT group by and pivot works

Current behavior:
any other user can see with pivot or group by some information

Expected behavior:
any other user cannot see data

Start of solution :
It seems the function read_group have no filter about the create_uid during the query for the transient model.

Video/Screenshot link (optional):

image

cc : @sylvain-garancher

#20328
@fmdl fmdl changed the title [10][Security] model.transient : overide acces with group_by or pivot view [10][Security] model.transient : read_group() seems have access of records of all user Oct 5, 2017
@Yenthe666 Yenthe666 added the 10.0 label Oct 6, 2017
@Yenthe666
Copy link
Collaborator

Hmm perhaps something for you to check @odony?

@fmdl fmdl mentioned this issue Oct 19, 2017
Closed
@fmdl fmdl changed the title [10][Security] model.transient : read_group() seems have access of records of all user [Master,11,10,9,8][Security] model.transient : read_group() seems have access of records of all user Oct 19, 2017
@fmdl fmdl changed the title [Master,11,10,9,8][Security] model.transient : read_group() seems have access of records of all user [Master,11,10,9,8][Security] model.transient : read_group() and read() have access of all records of all user Oct 20, 2017
@fmdl fmdl closed this as completed Oct 23, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
10.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Yenthe666 @fmdl