15.0 fix my profile edit wbr #81474
Closed
15.0 fix my profile edit wbr #81474
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reverts commit 0e12620 from PR odoo#79472 TaskId-2715341
Before this commit users were not able to edit their settings if they had a linked employee for a company that was not currently active for them. This is due to the fact that since the employee_ids field is considered `safe` to read/write by your own user the fields were loaded in sudo and thus bypassed the security rules that were meant to prevent that issue. The security rule is now enforced as a domain on the `employee_ids`. TaskId-2715341
Contributor
|
|
Contributor
|
@robodoo rebase-ff r+ |
Contributor
|
Merge method set to rebase and fast-forward |
robodoo
pushed a commit
that referenced
this pull request
Dec 17, 2021
This was referenced Dec 17, 2021
Williambraecky
added a commit
to odoo-dev/odoo
that referenced
this pull request
Jun 24, 2022
Backport of odoo#81474 Before odoo#86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo.
robodoo
pushed a commit
that referenced
this pull request
Jun 24, 2022
Backport of #81474 Before #86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. closes #94558 Signed-off-by: Kevin Baptiste <[email protected]>
fw-bot
pushed a commit
to odoo-dev/odoo
that referenced
this pull request
Jun 24, 2022
Backport of odoo#81474 Before odoo#86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. X-original-commit: 90cec40
fw-bot
pushed a commit
to odoo-dev/odoo
that referenced
this pull request
Jun 24, 2022
Backport of odoo#81474 Before odoo#86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. X-original-commit: 90cec40
fw-bot
pushed a commit
to odoo-dev/odoo
that referenced
this pull request
Jun 24, 2022
Backport of odoo#81474 Before odoo#86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. X-original-commit: 90cec40
This was referenced Jun 24, 2022
fw-bot
pushed a commit
to odoo-dev/odoo
that referenced
this pull request
Jun 24, 2022
Backport of odoo#81474 Before odoo#86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. X-original-commit: 90cec40
fw-bot
pushed a commit
to odoo-dev/odoo
that referenced
this pull request
Jun 24, 2022
Backport of odoo#81474 Before odoo#86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. X-original-commit: 90cec40
fw-bot
pushed a commit
to odoo-dev/odoo
that referenced
this pull request
Jun 24, 2022
Backport of odoo#81474 Before odoo#86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. X-original-commit: 90cec40
robodoo
pushed a commit
that referenced
this pull request
Jun 25, 2022
Backport of #81474 Before #86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. closes #94611 X-original-commit: 90cec40 Signed-off-by: Kevin Baptiste <[email protected]> Signed-off-by: William Braeckman (wbr) <[email protected]>
robodoo
pushed a commit
that referenced
this pull request
Jun 25, 2022
Backport of #81474 Before #86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. closes #94607 X-original-commit: 90cec40 Signed-off-by: Kevin Baptiste <[email protected]> Signed-off-by: William Braeckman (wbr) <[email protected]>
robodoo
pushed a commit
that referenced
this pull request
Jun 25, 2022
Backport of #81474 Before #86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. closes #94602 X-original-commit: 90cec40 Signed-off-by: Kevin Baptiste <[email protected]> Signed-off-by: William Braeckman (wbr) <[email protected]>
robodoo
pushed a commit
that referenced
this pull request
Jun 25, 2022
Backport of #81474 Before #86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. closes #94592 X-original-commit: 90cec40 Signed-off-by: Kevin Baptiste <[email protected]> Signed-off-by: William Braeckman (wbr) <[email protected]>
robodoo
pushed a commit
that referenced
this pull request
Jun 25, 2022
Backport of #81474 Before #86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. closes #94615 X-original-commit: 90cec40 Signed-off-by: Kevin Baptiste <[email protected]> Signed-off-by: William Braeckman (wbr) <[email protected]>
robodoo
pushed a commit
that referenced
this pull request
Jun 25, 2022
Backport of #81474 Before #86889 a regular user with employees in multiple companies was not able to change his own language due to a chain of event calling onchange on all the employee_ids and employee_ids on res.users being read as sudo. The fix does work but was wrong because it gave access to the user's public employee regardless of the active company_id A domain was added to employee_ids to make force the security rules even in sudo. closes #94618 X-original-commit: 90cec40 Signed-off-by: Kevin Baptiste <[email protected]> Signed-off-by: William Braeckman (wbr) <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before this commit users were not able to edit their settings if they
had a linked employee for a company that was not currently active for
them.
This is due to the fact that since the employee_ids field is considered
safeto read/write by your own user the fields were loaded in sudo andthus bypassed the security rules that were meant to prevent that issue.
The security rule is now enforced as a domain on the
employee_ids.