Discussion:
[Erp5-dev] Bug - security exception when related object is not accessible
bartek
2008-07-08 09:35:32 UTC
Permalink
Hello,

About five months ago I found something that I think classifies as a
bug: if a form contains a relation field relating to an object a user is
not authorized to view, then an attempt to view the form raises
Unauthorized, so in effect the object becomes inaccessible.

I wrote a test for it, which shows the problem - it is in core test
suite (ERP5Form/tests/testGUIwithSecurity.py). It has been there since
March, and it used to be run by the test runner, but since mid-May it is
not executed anymore, for reasons I don't know.

There is also a proposed patch for it, in the experimental repo - it is
open for discussion if the Unauthorized errors should be handled by the
fields or by the accessors.

Bartek
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
Romain Courteaud
2008-07-08 10:08:10 UTC
Permalink
Post by bartek
Hello,
Hello,
Post by bartek
About five months ago I found something that I think classifies as a
bug: if a form contains a relation field relating to an object a user is
not authorized to view, then an attempt to view the form raises
Unauthorized, so in effect the object becomes inaccessible.
I also thought it was a bug.
Post by bartek
I wrote a test for it, which shows the problem - it is in core test
suite (ERP5Form/tests/testGUIwithSecurity.py). It has been there since
March, and it used to be run by the test runner, but since mid-May it is
not executed anymore, for reasons I don't know.
I think this test is still executed, but there is no error anymore since:
http://mail.nexedi.com/pipermail/erp5-report/2008-May/021779.html
Post by bartek
There is also a proposed patch for it, in the experimental repo - it is
open for discussion if the Unauthorized errors should be handled by the
fields or by the accessors.
A fix was applied in http://svn.erp5.org/?view=rev&revision=20988 (which
is a bit different from the experimental patch).

Regards,
Romain
bartek
2008-07-08 10:16:13 UTC
Permalink
Post by bartek
Post by bartek
Hello,
Hello,
Post by bartek
About five months ago I found something that I think classifies as a
bug: if a form contains a relation field relating to an object a user is
not authorized to view, then an attempt to view the form raises
Unauthorized, so in effect the object becomes inaccessible.
I also thought it was a bug.
Post by bartek
I wrote a test for it, which shows the problem - it is in core test
suite (ERP5Form/tests/testGUIwithSecurity.py). It has been there since
March, and it used to be run by the test runner, but since mid-May it is
not executed anymore, for reasons I don't know.
http://mail.nexedi.com/pipermail/erp5-report/2008-May/021779.html
Post by bartek
There is also a proposed patch for it, in the experimental repo - it is
open for discussion if the Unauthorized errors should be handled by the
fields or by the accessors.
A fix was applied in http://svn.erp5.org/?view=rev&revision=20988 (which
is a bit different from the experimental patch).
Ooops - sorry, I missed it. If you told me you did it, I'd have removed
the experimental patch, now it is duplicating.

Bartek
Post by bartek
Regards,
Romain
_______________________________________________
Erp5-dev mailing list
Erp5-dev at erp5.org
http://mail.nexedi.com/mailman/listinfo/erp5-dev
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
Romain Courteaud
2008-07-08 10:44:19 UTC
Permalink
Post by bartek
Ooops - sorry, I missed it. If you told me you did it, I'd have removed
the experimental patch, now it is duplicating.
No problem.
Feel free to review the patch.

Romain

Loading...