From 083691b392b1f9556dd64787f46e7536e7d2f7c3 Mon Sep 17 00:00:00 2001
From: Olivier Dony <odo@openerp.com>
Date: Mon, 5 Sep 2011 14:37:56 +0200
Subject: [PATCH 1/1] [IMP] ir.values: improve security: users can only write
 to their personal defaults

Administrator access is required to set defaults for
everybody, as well as to alter the action bindings.

bzr revid: odo@openerp.com-20110905123756-oqum5k2pnbyoa11r
---
 openerp/addons/base/security/base_security.xml   |    7 +++++++
 openerp/addons/base/security/ir.model.access.csv |    3 +--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/openerp/addons/base/security/base_security.xml b/openerp/addons/base/security/base_security.xml
index 00aca66..fe3a10f 100644
--- a/openerp/addons/base/security/base_security.xml
+++ b/openerp/addons/base/security/base_security.xml
@@ -65,6 +65,13 @@
         <field name="domain_force">[('company_id','child_of',[user.company_id.id])]</field>
     </record>
 
+    <record model="ir.rule" id="ir_values_default_rule">
+        <field name="name">Defaults: alter personal values only</field>
+        <field name="model_id" ref="model_ir_values"/>
+        <field name="domain_force">[('key','=','default'),('user_id','=',user.id)]</field>
+        <field name="perm_read" eval="False"/>
+    </record>
+
     </data>
 </openerp>
 
diff --git a/openerp/addons/base/security/ir.model.access.csv b/openerp/addons/base/security/ir.model.access.csv
index 8949052..6460c06 100644
--- a/openerp/addons/base/security/ir.model.access.csv
+++ b/openerp/addons/base/security/ir.model.access.csv
@@ -38,8 +38,7 @@
 "access_ir_ui_view_custom_group_user","ir_ui_view_custom_group_user","model_ir_ui_view_custom",,1,0,0,0
 "access_ir_ui_view_custom_group_system","ir_ui_view_custom_group_system","model_ir_ui_view_custom","group_system",1,1,1,1
 "access_ir_ui_view_sc_group_user","ir_ui_view_sc group_user","model_ir_ui_view_sc",,1,1,1,1
-"access_ir_values_group_erp_manager","ir_values group_erp_manager","model_ir_values","group_erp_manager",1,1,1,1
-"access_ir_values_group_all","ir_values group_all","model_ir_values",,1,0,1,0
+"access_ir_values_group_all","ir_values group_all","model_ir_values",,1,1,1,1
 "access_res_company_group_erp_manager","res_company group_erp_manager","model_res_company","group_erp_manager",1,1,1,1
 "access_res_company_group_user","res_company group_user","model_res_company",,1,0,0,0
 "access_res_country_group_all","res_country group_user_all","model_res_country",,1,0,0,0
-- 
1.7.10.4