| View previous topic :: View next topic |
| Author |
Message |
skpatel20
Joined: 04 Nov 2008
Posts: 83
Location: India
|
 Posted: Mon Nov 24, 2008 12:09 pm Post subject: Relationship of Customer, Supplier, Employee, Partner, User |
 |
|
Trying to study OpenERP, I am confusing somewhere here. I infer the following. Would be quite helpful to get some comments and confirmations.
1. Partner object holds Customers and Suppliers. There are not any separate Objects for these. In stead, two boolean fields named 'customer' and 'supplier' in Partner indicate whether it is a customer or supplier.
2. There is a 'user_id' field in Partner labeled 'Dedicated Salesman'. Is this the ID using which Partners login?
3. There is a separate Employee object. There is no relationship between Employee and Partner!
I don't understand why Employee-User is a many2one relationship. Similarly, why Partner-User is a many2one relationship.
thanks,
_________________
Sanjay
RAD Solutions Private Limited
sanjay at radsolutions co in |
|
| Back to top |
|
 |
hda
Joined: 03 Dec 2007
Posts: 1376
Location: Belgium
|
| Posted: Tue Nov 25, 2008 7:29 am Post subject: |
|
|
| Quote: | 2. There is a 'user_id' field in Partner labeled 'Dedicated Salesman'. Is this the ID using which Partners login?
|
If you want to compute salesman's commission and dedicate salesman to particular partner (customer or supplier) then you can select your employee (salesman) who is going to handle those partners.
| Quote: | | There is a separate Employee object. There is no relationship between Employee and Partner! |
There is a relationship through dedicated salesman between employee and partner.
| Quote: | | I don't understand why Employee-User is a many2one relationship. Similarly |
Employee-user relationship is for providing user rights and login to employee.
_________________
OpenERP=Easier, Adaptable, Affordable, Modular |
|
| Back to top |
|
|
skpatel20
Joined: 04 Nov 2008
Posts: 83
Location: India
|
| Posted: Tue Nov 25, 2008 8:34 am Post subject: |
|
|
Hi Husen,
Thanks for the responses. Needing some more inputs:
[quote="hda"] | Quote: | 2. There is a 'user_id' field in Partner labeled 'Dedicated Salesman'. Is this the ID using which Partners login?
|
If you want to compute salesman's commission and dedicate salesman to particular partner (customer or supplier) then you can select your employee (salesman) who is going to handle those partners.
Is a partner (customer or supplier) logging in directly currently supported ? If yes, which field in partner is used for the link?
| Quote: | | There is a separate Employee object. There is no relationship between Employee and Partner! |
There is a relationship through dedicated salesman between employee and partner.
You mean like this: Employee<User>Partner?
| Quote: | | I don't understand why Employee-User is a many2one relationship. Similarly |
Employee-user relationship is for providing user rights and login to employee.[/quote]
Any specific reason why it is many2one and not one2one?
thanks a lot,
_________________
Sanjay
RAD Solutions Private Limited
sanjay at radsolutions co in |
|
| Back to top |
|
|
hda
Joined: 03 Dec 2007
Posts: 1376
Location: Belgium
|
| Posted: Tue Nov 25, 2008 9:16 am Post subject: |
|
|
you need to create separate user for customer and supplier to provide them login.
there is no relationship for partner-user.
you need to customize partner for that.
_________________
OpenERP=Easier, Adaptable, Affordable, Modular |
|
| Back to top |
|
|
skpatel20
Joined: 04 Nov 2008
Posts: 83
Location: India
|
| Posted: Tue Nov 25, 2008 11:35 am Post subject: |
|
|
Ok.
Might be a naive question but not yet understood why Employee-User is many2one and not one2one. Any specific thoughts?
thanks,
_________________
Sanjay
RAD Solutions Private Limited
sanjay at radsolutions co in |
|
| Back to top |
|
|
sraps
Joined: 09 Jul 2008
Posts: 313
|
| Posted: Tue Nov 25, 2008 11:51 am Post subject: |
|
|
But anyway you should be very cautious when providing a system login for external party, because there is a bug which allows changing identity. This and similar bugs are present (and known) on system at least for couple of years now, and in latest stable version inclusive. So it renders use of TERP for direct customer interaction, extremely unsafe.
sraps |
|
| Back to top |
|
|
sraps
Joined: 09 Jul 2008
Posts: 313
|
| Posted: Tue Nov 25, 2008 11:58 am Post subject: |
|
|
| Quote: | | Might be a naive question but not yet understood why Employee-User is many2one and not one2one. Any specific thoughts? |
one2one field, though exists, just doesn't work |
|
| Back to top |
|
|
skpatel20
Joined: 04 Nov 2008
Posts: 83
Location: India
|
| Posted: Tue Nov 25, 2008 12:23 pm Post subject: |
|
|
[quote="sraps"]But anyway you should be very cautious when providing a system login for external party, because there is a bug which allows changing identity. This and similar bugs are present (and known) on system at least for couple of years now, and in latest stable version inclusive. So it renders use of TERP for direct customer interaction, extremely unsafe.
sraps[/quote]
Thanks a lot, Sraps. It is really a vital input.
Does this bug existing from two years mean that there is some architectural constraint and this bug can not be removed? Are there plans to remove this bug in 5.0? Need more inputs, as this might be vital to our projects.
Would appreciate all possible references on these bugs and ways to circumvent these, if any.
_________________
Sanjay
RAD Solutions Private Limited
sanjay at radsolutions co in |
|
| Back to top |
|
|
gegard
Joined: 21 Apr 2006
Posts: 1295
Location: Cambridge, UK
|
| Posted: Tue Nov 25, 2008 12:41 pm Post subject: |
|
|
| sraps wrote: | | ... there is a bug which allows changing identity. This and similar bugs are present (and known) on system at least for couple of years now ... |
I didn't know that the portal modules had existed for that long. And perhaps I am not sufficiently smart to understand the problems, but I thought that the default in the main portal module is to restrict users' ability to modify their identity.
Still, I hope you have reported this issue to Tiny on launchpad so they can fix this. I bet they'd fix it fast if they knew of the problem.
_________________
Regards,
Geoff
Seath Solutions Ltd |
|
| Back to top |
|
|
gegard
Joined: 21 Apr 2006
Posts: 1295
Location: Cambridge, UK
|
| Posted: Sat Nov 29, 2008 1:54 pm Post subject: |
|
|
| gegard wrote: | | sraps wrote: | | ... ...This and similar bugs are present (and known) on system at least for couple of years now ... |
... I bet they'd fix it fast if they knew of the problem. |
So it seems that there is no problem and that this comment was just a fabrication.
_________________
Regards,
Geoff
Seath Solutions Ltd |
|
| Back to top |
|
|
sraps
Joined: 09 Jul 2008
Posts: 313
|
| Posted: Mon Dec 01, 2008 12:18 pm Post subject: |
|
|
Oh - my mistake, I see, again when I am not talking up to your official mind, I am wrong...  .
These are just about one half of the problem:
http://openerp.com/forum/topic7743.html
http://openerp.com/forum/topic6389.html
http://openerp.com/forum/topic2449.html
http://openerp.com/forum/topic4213.html
http://openerp.com/forum/topic3725.html
http://openerp.com/forum/topic896.html
I tried to secure OpenERP, not to allow one user to read info not intended him to see. There are 2 things that should be done - remove access to the menu's and to the models that user should not access. But there is one model that could not be restricted - res.users. If we restrict this medel to let's say admin, no one else are able to log in. And this is where still plaintext password lives.
I am very sorry not to find anymore the topic where Fabien himself have proposed a patch - as I remember more or less working python code snippet to replace a password field with hashed result. But anyway these bugs are well known, but are not implemented. (I do not know of 5th version, have not tried yet.)
Ok, I tried to build a small perl script (I like this language, and consider it more mature), which logs in as unprivileged user through XML-RPC connection and reads unrestricted res.users model. And this is where you can find any and every login information.
This is true and tried by myself.
Why I have not submitted a patch for this? There are several reasons for this, and you can find them in my other posts. Anyway there are not only me who thinks, that there should be paid more attention to maturity and stability not only new features.
Recently I discovered a fork for this system called (could be found on tryton.org) Tryton, which aims to fix these issues. This is their policy, do not know how well they are at implementing it, have not tried it yet, although they have a release.
But to me this is clear result for lack of respect and attention to an ordinary contributor, remember German translations and contributions. Ah well, they were wrong too.
Though this absolutely is not good to divide force.
P.S. It should be better if such advocates as gegard would spend a little more time to test not just blindly oppose. Just think, who would spend time to discover things like this, if one would be "fake"?
Good day!
-sraps |
|
| Back to top |
|
|
gegard
Joined: 21 Apr 2006
Posts: 1295
Location: Cambridge, UK
|
| Posted: Mon Dec 01, 2008 2:03 pm Post subject: |
|
|
When you make inflammatory statements with no evidence you can either be ignored or be challenged to produce your evidence. Without evidence, we were not sure that the security we put in place was sufficient.
Thank you for now providing your evidence.
| sraps wrote: | | I do not know of 5th version, have not tried yet. |
Perhaps you should. But it's not necessary to go to version 5 to implement an OpenERP system that's secure for its situation.
_________________
Regards,
Geoff
Seath Solutions Ltd |
|
| Back to top |
|
|
sraps
Joined: 09 Jul 2008
Posts: 313
|
| Posted: Mon Dec 01, 2008 4:19 pm Post subject: |
|
|
| Quote: | | When you make inflammatory statements with no evidence you can either be ignored or be challenged to produce your evidence. Without evidence, we were not sure that the security we put in place was sufficient. |
To my mind framework (OpenObject and OpenERP base) are not the thing to get changed by somebody else, than the root maintainer. Things like these just produce instabilities.
More specifically this issue are too well known, maybe except newbies, to provide evidences. This is why I helped skpatel20 out.
| Quote: | | Perhaps you should. But it's not necessary to go to version 5 to implement an OpenERP system that's secure for its situation. |
And we will . We are at the implementing phase for couple of our modules which are developed for 4.2 tree, that is why I have knowledge for it. We will adapt the modules for new version a bit later, when stable release will come out.
Of coarse OpenERP could be pretty secure if you deal with loyal staff of accountants or managers. If you have the insider man - hacker, or not so loyal partner which you have granted an access rights, even 99,9% restricted, then you are in trouble.
sraps |
|
| Back to top |
|
|
skpatel20
Joined: 04 Nov 2008
Posts: 83
Location: India
|
| Posted: Wed Dec 03, 2008 7:38 am Post subject: |
|
|
Would be watching this thread to get further updates such as version 5 status etc.
thanks,
_________________
Sanjay
RAD Solutions Private Limited
sanjay at radsolutions co in |
|
| Back to top |
|
|
gegard
Joined: 21 Apr 2006
Posts: 1295
Location: Cambridge, UK
|
| Posted: Wed Dec 03, 2008 9:36 am Post subject: |
|
|
| skpatel20 wrote: | | Would be watching this thread to get further updates such as version 5 status etc.... |
Probably not the right place for that.
| gegard wrote: | | ... it's not necessary to go to version 5 to implement an OpenERP system that's secure for its situation. |
What version 5 does most noticeably is that the model and group security (already within OpenERP) are configured by default rather than left for the implementor to configure. It saves time if you are happy with the defaults, and there are some new features to help with that.
_________________
Regards,
Geoff
Seath Solutions Ltd |
|
| Back to top |
|
|
|
Index
Search
Register
Profile
Log in to check your private messages
RSS
Mailing List
Log in
