Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#64823 Incident ID:15648 - Over zealous and inconsistent application of priviliges on Site Security

open
nobody
None
5
2011-09-12
2011-09-12
omfgppc
No

Description:

Site security implements extremely strict priviliges in such a way that if a document contains reference to a Site you do not have access to, you can not view the document at all. For example if a Sales Order has items from two sites, say WH1 which you have access to and WH2 which you do not have access to, then you will not be able to view the sales order at all. The is inconsistent with our general privilege methodology that allows you to see references to functional areas you do not have access to. For example it would be absurd if because you did not have access to items that you would not be able to work with any document that references an item. What item privilege control means in the context of Items is that you do not have the ability to maintain or possibly even view detail on Items from the screens where Items are referenced.

Row level security is being implemented on issue #15501 such that you will always be able to view basic record information when referenced in some other context you have access to so, for example, you will be able to see that there are contacts associated with a CRM Account, even if you do not have privileges to view or maintain contacts.

To be consistent, then, a user should be able to open a Sales Order that references a Site they do not have access to even if they do not have privileges to view data for that Site, so long as the order references data they do have access to that would allow it to show up on their Open Sales Order list. It would be logical, however, to disallow such a user from viewing and/or editing the line items that reference sites for which they don't have access.

Additional information

For the entire bug information, please visit

http://www.xtuple.org/xtincident/view/bugs/15648

Discussion