[IMP] Event Security Fix + Publish Track

bzr revid: fp@tinyerp.com-20140227131144-8rq3woldpl1zbppj
2014-02-27 14:11:44 +01:00 · 2014-02-27 14:11:44 +01:00 · 100cc571cd
parent 3324351bf6
commit 100cc571cd
3 changed files with 6 additions and 18 deletions
--- a/addons/website_event/controllers/main.py
+++ b/addons/website_event/controllers/main.py
@ -187,18 +187,6 @@ class website_event(http.Controller):
        }
        return request.website.render("website_event.event_description_full", values)

-    @http.route(['/event/publish'], type='json', auth="public", website=True)
-    def publish(self, id, object):
-        # if a user publish an event, he publish all linked res.partner
-        event = request.registry[object].browse(request.cr, request.uid, int(id))
-        if not event.website_published:
-            if event.organizer_id and not event.organizer_id.website_published:
-                event.organizer_id.write({'website_published': True})
-            if event.address_id and not event.address_id.website_published:
-                event.address_id.write({'website_published': True})
-
-        return controllers.publish(id, object)
-
    @http.route('/event/add_event/', type='http', auth="user", multilang=True, methods=['POST'], website=True)
    def add_event(self, event_name="New Event", **kwargs):
        return self._add_event(event_name, request.context, **kwargs)
--- a/addons/website_event/views/website_event.xml
+++ b/addons/website_event/views/website_event.xml
@ -189,11 +189,6 @@
                    </ol>
                </div>
                <div class="col-sm-5" groups="event.group_event_manager">
-                    <t t-call="website.publish_management">
-                        <t t-set="object" t-value="event"/>
-                        <t t-set="publish_edit" t-value="True"/>
-                        <t t-set="publish_controller">/event/publish</t>
-                    </t>
                </div>
            </div>
        </div>
@ -266,7 +261,6 @@
                        <t t-call="website.publish_management">
                            <t t-set="object" t-value="comment"/>
                            <t t-set="publish_edit" t-value="True"/>
-                            <t t-set="publish_controller">/event/publish</t>
                        </t>
                        <t t-raw="comment.body"/>
                        <small class="pull-right muted text-right">
--- a/addons/website_event_track/views/website_event.xml
+++ b/addons/website_event_track/views/website_event.xml
@ -194,6 +194,12 @@
 <template id="track_view">
    <t t-call="website_event.layout">
        <div class="container">
+            <t t-call="website.publish_management">
+                <t t-set="object" t-value="track"/>
+                <t t-set="publish_edit" t-value="True"/>
+            </t>
+            <div class="clearfix"/>
+
            <h2 t-field="track.name" class="text-center"/>
            <h3 t-field="event.name" class="text-center text-muted"/>
            <ul t-if="track.tag_ids" class="text-center text-muted list-inline">