OCA
[18.0] dms: Broken access rules
Module
dms
Describe the bug
The write, unlink and create access permissions defined in the dms groups are not working as intended. Every operation is allowed regardless of the permissions the user has at that time.
To Reproduce
Affected versions:
- [x] 18.0
- [ ] 16.0 - Not affected
Steps to reproduce the behavior:
- Create a new access group with "Create access" and "Unlink access" active. Leave "Write access" unchecked.
- Make sure the user you're on is included in the access group
- Setup a storage with a root folder.
- Assign the newly created group to the root folder just created.
- Upload a file in the folder.
- Open Form view of the file.
- Create a new Tag and add it to the file
- Save.
Expected behavior The expected behavior after these steps is that the user should not be able to save the file since it does not have "Write access" as a permission.
https://github.com/user-attachments/assets/21a3477b-1498-44db-b549-62c12124e218
Here's a video of the issue on the latest Runboat
@kobros-tech @victoralmau any opinion about this? Thanks!
Can you try something else rather than tag or category?
like update the name of the root folder.
https://github.com/user-attachments/assets/d844beeb-4761-4413-865e-891558e27e3a
@kobros-tech Yes, here's a video editing the root folder, I hope it's not compressed too hard.
As you can see I cannot edit the name of the folder, but the error indicates a missing permission with the dms access group records. Then I tried to directly delete the folder on the kanban view and it successfully does so without Unlink access in the group of the user
IMO this has already been fixed https://github.com/OCA/dms/pull/436#issuecomment-2969488112
