0005927: oxarticle and oxcategory Objects are deleteable without having the permission by Rights and Roles when using ERP / CSV.

ID	Project	Category	View Status	Date Submitted	Last Update

0005927	OXID ERP Interface	OXID ERP Interface - sub	public	2014-10-22 14:02	2024-12-11 11:55

Reporter	michael_keiluweit	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	no change required
Product Version	2.13.0

Summary	0005927: oxarticle and oxcategory Objects are deleteable without having the permission by Rights and Roles when using ERP / CSV.
Description	When the rights and roles for an article (or a category) object are set to only readable or not accessable and it is not explicit set in the submenu "objects", too (Please have a look at attached pictures 1 and 2), then the object is deletable.
Additional Information	this works also for all non article/category objects, but for those the complete rights and roles aren't working. See 0005926
Tags	CSV, EE, ERP, Rights & Roles, SOAP
Attached Files	1.PNG (12,332 bytes) 1.PNG (12,332 bytes) 2.PNG (15,984 bytes) 2.PNG (15,984 bytes) 3.PNG (27,360 bytes) 3.PNG (27,360 bytes)

SvenBrunk 2024-12-11 11:55 administrator ~0017768	This works exactly as designed. The rights and roles panel only controls what actions are available to you in the admin area. Only the object rights control what you are allowed to do and this is also only defined for oxarticles and oxcategories. From your screenshot you ARE allowed to delete both from oxarticles and from oxcategories.