From 77868ec4f978914cc0f632c27c74d9bb6bf18515 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Tue, 4 Aug 2015 12:08:24 +0200 Subject: [PATCH 1/6] [FIX] base, auth_openid: wrong implementation of API by auth_openid Authentication modules are supposed to override res_users.check_credentials() in order to plug in their own mechanism, without actually modifying the behavior of res_users.check(), res_users.authenticate() or res_users._login(). auth_openid was incorrectly overriding check() instead of check_credentials(), and unnecessarily accessing private attributes of res_users. Fixing the implementation of auth_openid to follow the API means we can completely make those attributes private. --- addons/auth_openid/res_users.py | 22 +++++++++------------- openerp/addons/base/res/res_users.py | 21 +++++++++------------ 2 files changed, 18 insertions(+), 25 deletions(-) diff --git a/addons/auth_openid/res_users.py b/addons/auth_openid/res_users.py index 79d86a1bac3..da99747fea4 100644 --- a/addons/auth_openid/res_users.py +++ b/addons/auth_openid/res_users.py @@ -73,22 +73,18 @@ class res_users(osv.osv): cr.commit() return res[0] if res else False - def check(self, db, uid, passwd): + def check_credentials(self, cr, uid, password): try: - return super(res_users, self).check(db, uid, passwd) + return super(res_users, self).check_credentials(cr, uid, password) except openerp.exceptions.AccessDenied: - if not passwd: + cr.execute('''SELECT COUNT(1) + FROM res_users + WHERE id=%s + AND openid_key=%s + AND active=%s''', + (int(uid), passwd, True)) + if not cr.fetchone()[0]: raise - with RegistryManager.get(db).cursor() as cr: - cr.execute('''SELECT COUNT(1) - FROM res_users - WHERE id=%s - AND openid_key=%s - AND active=%s''', - (int(uid), passwd, True)) - if not cr.fetchone()[0]: - raise - self._uid_cache.setdefault(db, {})[uid] = passwd res_users() diff --git a/openerp/addons/base/res/res_users.py b/openerp/addons/base/res/res_users.py index c678deff47f..ece49258f44 100644 --- a/openerp/addons/base/res/res_users.py +++ b/openerp/addons/base/res/res_users.py @@ -136,7 +136,7 @@ class res_users(osv.osv): avatar, ... The user model is now dedicated to technical data. """ __admin_ids = {} - _uid_cache = {} + __uid_cache = {} _inherits = { 'res.partner': 'partner_id', } @@ -336,10 +336,10 @@ class res_users(osv.osv): clear = partial(self.pool.get('ir.rule').clear_cache, cr) map(clear, ids) db = cr.dbname - if db in self._uid_cache: + if db in self.__uid_cache: for id in ids: - if id in self._uid_cache[db]: - del self._uid_cache[db][id] + if id in self.__uid_cache[db]: + del self.__uid_cache[db][id] self.context_get.clear_cache(self) return res @@ -347,10 +347,10 @@ class res_users(osv.osv): if 1 in ids: raise osv.except_osv(_('Can not remove root user!'), _('You can not remove the admin user as it is used internally for resources created by OpenERP (updates, module installation, ...)')) db = cr.dbname - if db in self._uid_cache: + if db in self.__uid_cache: for id in ids: - if id in self._uid_cache[db]: - del self._uid_cache[db][id] + if id in self.__uid_cache[db]: + del self.__uid_cache[db][id] return super(res_users, self).unlink(cr, uid, ids, context=context) def name_search(self, cr, user, name='', args=None, operator='ilike', context=None, limit=100): @@ -491,15 +491,12 @@ class res_users(osv.osv): if not passwd: # empty passwords disallowed for obvious security reasons raise openerp.exceptions.AccessDenied() - if self._uid_cache.get(db, {}).get(uid) == passwd: + if self.__uid_cache.setdefault(db, {}).get(uid) == passwd: return cr = pooler.get_db(db).cursor() try: self.check_credentials(cr, uid, passwd) - if self._uid_cache.has_key(db): - self._uid_cache[db][uid] = passwd - else: - self._uid_cache[db] = {uid:passwd} + self.__uid_cache[db][uid] = passwd finally: cr.close() From 39b0a4c2ccaee8f31f5dae62ff502a8bc5c2cfe9 Mon Sep 17 00:00:00 2001 From: Goffin Simon Date: Fri, 7 Aug 2015 11:07:52 +0200 Subject: [PATCH 2/6] [FIX] account: tax_sign When changing manually the amount of tax in supplier invoice, the tax sign of the tax must be kept. Back-port of 4f6eebf698b78cdd2001129f231c0a0e2 opw:645691 --- addons/account/account_invoice.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/addons/account/account_invoice.py b/addons/account/account_invoice.py index 79294085488..6aa17a24c0a 100644 --- a/addons/account/account_invoice.py +++ b/addons/account/account_invoice.py @@ -1708,7 +1708,9 @@ class account_invoice_tax(osv.osv): company_currency = company_obj.read(cr, uid, [company_id], ['currency_id'])[0]['currency_id'][0] if currency_id and company_currency: amount = cur_obj.compute(cr, uid, currency_id, company_currency, amount, context={'date': date_invoice or fields.date.context_today(self, cr, uid)}, round=False) - return {'value': {'tax_amount': amount}} + tax_rec = self.browse(cr, uid, ids) + tax_sign = (tax_rec[0].tax_amount / tax_rec[0].amount) if tax_rec and tax_rec[0].amount else 1 + return {'value': {'tax_amount': amount * tax_sign}} _order = 'sequence' _defaults = { From 5e4c09ae5334159fbf9126493cbf0e7dcbef3859 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Thu, 6 Aug 2015 14:52:16 +0200 Subject: [PATCH 3/6] [FIX] res.users: more consistent handling of user private fields --- openerp/addons/base/res/res_users.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/openerp/addons/base/res/res_users.py b/openerp/addons/base/res/res_users.py index ece49258f44..3b01313dc7c 100644 --- a/openerp/addons/base/res/res_users.py +++ b/openerp/addons/base/res/res_users.py @@ -305,6 +305,24 @@ class res_users(osv.osv): return result + def read_group(self, cr, uid, domain, fields, groupby, offset=0, limit=None, context=None, orderby=False): + if uid != SUPERUSER_ID: + groupby_fields = set([groupby] if isinstance(groupby, basestring) else groupby) + if groupby_fields.intersection(USER_PRIVATE_FIELDS): + raise openerp.exceptions.AccessError('Invalid groupby') + return super(res_users, self).read_group( + cr, uid, domain, fields, groupby, offset=offset, limit=limit, context=context, orderby=orderby) + + def _search(self, cr, user, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None): + if user != SUPERUSER_ID and args: + domain_terms = [term for term in args if isinstance(term, (tuple, list))] + domain_fields = set(left for (left, op, right) in domain_terms) + if domain_fields.intersection(USER_PRIVATE_FIELDS): + raise openerp.exceptions.AccessError('Invalid search criterion') + return super(res_users, self)._search( + cr, user, args, offset=offset, limit=limit, order=order, context=context, count=count, + access_rights_uid=access_rights_uid) + def create(self, cr, uid, vals, context=None): user_id = super(res_users, self).create(cr, uid, vals, context=context) user = self.browse(cr, uid, user_id, context=context) From da8855ad2b476f0f09272fa078f5a3094beb733a Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Fri, 7 Aug 2015 14:17:42 +0200 Subject: [PATCH 4/6] [FIX] auth_openid: typo in rev. 77868ec --- addons/auth_openid/res_users.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/auth_openid/res_users.py b/addons/auth_openid/res_users.py index da99747fea4..6328596017a 100644 --- a/addons/auth_openid/res_users.py +++ b/addons/auth_openid/res_users.py @@ -82,7 +82,7 @@ class res_users(osv.osv): WHERE id=%s AND openid_key=%s AND active=%s''', - (int(uid), passwd, True)) + (int(uid), password, True)) if not cr.fetchone()[0]: raise From 4a46ca474d5df15a711deb06bf1e1843c3e7168b Mon Sep 17 00:00:00 2001 From: Goffin Simon Date: Fri, 7 Aug 2015 14:16:42 +0200 Subject: [PATCH 5/6] [FIX] sale: comment in partial invoice When a partial invoice is created from a sale order, the field "note" in the sale order must be written in the field "comment" of the invoice. opw:646852 --- addons/sale/wizard/sale_make_invoice_advance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/sale/wizard/sale_make_invoice_advance.py b/addons/sale/wizard/sale_make_invoice_advance.py index 750d450e3be..38300076407 100644 --- a/addons/sale/wizard/sale_make_invoice_advance.py +++ b/addons/sale/wizard/sale_make_invoice_advance.py @@ -147,7 +147,7 @@ class sale_advance_payment_inv(osv.osv_memory): 'partner_id': sale.partner_invoice_id.id, 'invoice_line': [(0, 0, inv_line_values)], 'currency_id': sale.pricelist_id.currency_id.id, - 'comment': '', + 'comment': sale.note, 'payment_term': sale.payment_term.id, 'fiscal_position': sale.fiscal_position.id or sale.partner_id.property_account_position.id } From f41026631f05fa2c8a046f10c79ce564284c18a3 Mon Sep 17 00:00:00 2001 From: Wolfgang Taferner Date: Wed, 29 Jul 2015 10:14:21 +0200 Subject: [PATCH 6/6] [FIX] account: add missing onchange attribute for payment term computation Fixes #5118 Closes #7777 --- addons/account/account_invoice_view.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/addons/account/account_invoice_view.xml b/addons/account/account_invoice_view.xml index 19919e53877..ab6c921c6ca 100644 --- a/addons/account/account_invoice_view.xml +++ b/addons/account/account_invoice_view.xml @@ -254,7 +254,7 @@ - + @@ -386,7 +386,7 @@ - +