Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[14.0][FIX] user profile fix #59

Open
wants to merge 2 commits into
base: 14.0-pavlov_odoo
Choose a base branch
from
Open

[14.0][FIX] user profile fix #59

wants to merge 2 commits into from

Conversation

Murtaza-OSI
Copy link

No description provided.

pedrambiria and others added 2 commits November 24, 2022 14:34
@pedrambiria @Murtaza-OSI
[FIX] point_of_sale: load orders with archived product
82a2ee3 
Before this commit: if one product in one of the previous orders is
archived, it won't load the order properly for order management.

opw-3035231

closes odoo#105952

Signed-off-by: Trinh Jacky (trj) <[email protected]>
@anhe-odoo @Murtaza-OSI
[FIX] hr: Hide 'delete' and 'change password' actions on own profile
73abcc1 
Expected Behaviour

When a user goes to his own profile, he has two ways to change his password :
1. through the 'Account security' tab
2. through the 'Actions' > 'Change password' menu in list/form view
Both option should let the user change its password, or one of the two should
not be present

Observed behaviour

While the first one works as expected, the second option gives an error as
the user doesn't have the admin rights

Reproducibility

This bug can be reproduced following these steps:
0. Make sure to have the "Employees" app installed
1. Connect as an employee (e.g. demo/demo on runbot)
2. Click on your name at the top right, go to 'My Profile'
3. Click 'Action' then 'Change password'

Problem Root Cause

There is an override of field_view_get for the res.users model in the hr
module which elevates the user with sudo so that the user may modify their
own user in some capacity. The problem is that by elevating the ACLs of the
user, fields_view_get will also return actions that are not normally
available to the user (e.g. deletion of user profile)

Related Issues/PR

- opw-2735671

closes odoo#83577

Signed-off-by: Yannick Tivisse (yti) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jantoniorivera97 jantoniorivera97

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Murtaza-OSI @jantoniorivera97 @pedrambiria @anhe-odoo