0005927: oxarticle and oxcategory Objects are deleteable without having the permission by Rights and Roles when using ERP / CSV.

ID	Project	Category	View Status	Date Submitted	Last Update

0005927	OXID ERP Interface	OXID ERP Interface - sub	public	2014-10-22 14:02	2024-01-17 14:56

Reporter	michael_keiluweit	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	acknowledged	Resolution	open
Product Version	2.13.0

Summary	0005927: oxarticle and oxcategory Objects are deleteable without having the permission by Rights and Roles when using ERP / CSV.
Description	When the rights and roles for an article (or a category) object are set to only readable or not accessable and it is not explicit set in the submenu "objects", too (Please have a look at attached pictures 1 and 2), then the object is deletable.
Additional Information	this works also for all non article/category objects, but for those the complete rights and roles aren't working. See 0005926
Tags	CSV, EE, ERP, Rights & Roles, SOAP
Attached Files	1.PNG (12,332 bytes) 1.PNG (12,332 bytes) 2.PNG (15,984 bytes) 2.PNG (15,984 bytes) 3.PNG (27,360 bytes) 3.PNG (27,360 bytes)