From 0fce350cf443cd7bd137e4daab6297ed6f4f9161 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Wed, 20 Aug 2014 14:07:43 +0200 Subject: [PATCH] [FIX] fields: *2many related fields should not be read as superuser one2many and many2many fields depends on the security rules. For instance, on products, with the taxes_id many2many fields, you only see the taxes of your own company, thanks to the multi company security rule With related *2many fields, if you browse it with superuser, you will have all records of the one2many fields, even those you are not allowed to see, as superuser ignores security rules. For instance, taxes_id of product.product is a related of taxes_id of product_template (through the inherits on product.template), and you should see the same taxes on the product template and on the product product (variant). This is not the case if the fields is read using the superuser --- openerp/fields.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/openerp/fields.py b/openerp/fields.py index 35f7e74c9ce..c2f9d93f4d2 100644 --- a/openerp/fields.py +++ b/openerp/fields.py @@ -1484,6 +1484,15 @@ class _RelationalMulti(_Relational): def convert_to_display_name(self, value): raise NotImplementedError() + def _compute_related(self, records): + """ Compute the related field `self` on `records`. """ + for record in records: + value = record + # traverse the intermediate fields, and keep at most one record + for name in self.related[:-1]: + value = value[name][:1] + record[self.name] = value[self.related[-1]] + class One2many(_RelationalMulti): """ One2many field; the value of such a field is the recordset of all the