← Back to team overview

openerp-community-reviewer team mailing list archive

  1. openerp-community-reviewer team
  2. Mailing list archive
  3. Message #08103

[Merge] lp:~therp-nl/ocb-server/6.1-attachment_search_invalid_model into lp:ocb-server/6.1

  Thread PreviousDate PreviousThread Next 
Stefan Rijnhart (Therp) has proposed merging lp:~therp-nl/ocb-server/6.1-attachment_search_invalid_model into lp:ocb-server/6.1.

Requested reviews:
  OpenERP Community Backports (ocb)

For more details, see:
https://code.launchpad.net/~therp-nl/ocb-server/6.1-attachment_search_invalid_model/+merge/250184

Fix problems with accessing attachments with missing models or record ids. Backports of

https://github.com/odoo/odoo/commit/eb9113c04d66627fbe04b473b9010e5de973c6aa
https://github.com/odoo/odoo/commit/4669f05406b07074c38b4d19c0c2ddf4e9407918

-- 
Your team OpenERP Community Backports is requested to review the proposed merge of lp:~therp-nl/ocb-server/6.1-attachment_search_invalid_model into lp:ocb-server/6.1.

=== modified file 'openerp/addons/base/ir/ir_attachment.py'
--- openerp/addons/base/ir/ir_attachment.py	2013-09-10 14:15:41 +0000
+++ openerp/addons/base/ir/ir_attachment.py	2015-02-18 18:34:28 +0000
@@ -23,6 +23,7 @@
 
 from osv import fields,osv
 from osv.orm import except_orm
+from openerp.tools.translate import _
 import tools
 
 class ir_attachment(osv.osv):
@@ -34,12 +35,14 @@
         if not ids:
             return
         res_ids = {}
+        require_employee = False
         if ids:
             if isinstance(ids, (int, long)):
                 ids = [ids]
             cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,))
             for rmod, rid in cr.fetchall():
                 if not (rmod and rid):
+                    require_employee = True
                     continue
                 res_ids.setdefault(rmod,set()).add(rid)
         if values:
@@ -50,9 +53,17 @@
         for model, mids in res_ids.items():
             # ignore attachments that are not attached to a resource anymore when checking access rights
             # (resource was deleted but attachment was not)
-            mids = self.pool.get(model).exists(cr, uid, mids)
+            if not self.pool.get(model):
+                require_employee = True
+                continue
+            existing_ids = self.pool.get(model).exists(cr, uid, mids)
+            if len(existing_ids) != len(mids):
+                require_employee = True
             ima.check(cr, uid, model, mode)
-            self.pool.get(model).check_access_rule(cr, uid, mids, mode, context=context)
+            self.pool.get(model).check_access_rule(cr, uid, existing_ids, mode, context=context)
+        if require_employee:
+            if not self.pool['ir.model.access'].check_groups(cr, uid, 'base.group_user'):
+                raise except_orm(_('Access Denied'), _("Sorry, you are not allowed to access this document."))
 
     def _search(self, cr, uid, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
         ids = super(ir_attachment, self)._search(cr, uid, args, offset=offset,
@@ -87,6 +98,8 @@
         # performed in batch as much as possible.
         ima = self.pool.get('ir.model.access')
         for model, targets in model_attachments.iteritems():
+            if model not in self.pool:
+                continue        
             if not ima.check(cr, uid, model, 'read', False):
                 # remove all corresponding attachment ids
                 for attach_id in itertools.chain(*targets.values()):

Follow ups

  Thread PreviousDate PreviousThread Next