New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[7.0] SUPERUSER_ID passed instead of real uid to get the value of related field #6274
Comments
Thanks @yann-papouin, I've read your link. But anyway security it's just one thing in this question. Also wrong uid is passed to the function and it's not right. Yes, if uid would be used just to give more access to read the value of the field, it's ok. But in my situation this function also returns different value for different uid and it's pity that OpenERP can't handle this sutuation. Of course, I've already rewrited my module and changed "related" type to the "function" that handles the situation properly, but anyway I don't think the original solution for "related" fields is good. |
Hi @dskarataev, Thank you for your bug report and our apoligies that we haven't had the time to look at this bug report. We do our best to handle all of them, but we sometimes miss some. Regards, |
Hello there,
I have inherited the function that returns value of "virtual_available" field in product.product. Also in another model I have field with type=related that points to the "virtual_available" in the product.product.
I had the problem with wrong uid in my inherited function "_product_available()" and I was debugging looking for place that replace my uid to SUPERUSER_ID, and finally I got it. It's the method "_fnct_read" in osv.fields and this method put SUPERUSER_ID instead my uid in hard way to get the value.
It means that it is security error and user that doesn't have the right to read value of field in related model CAN DO IT NOW.
Please check this out and give me your feedback. @rco-odoo @xmo-odoo
The text was updated successfully, but these errors were encountered: