odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] website_membership: access rules fixes 

When searching on memberships, we use domain clauses in the format 'partner.x = y' where partner is a many2one to res.partner. The object res.partner has strict security rules for public users and this search will return zero result if not done with SUPERUSER_ID.
In addition, we need to access the list of products (membership_ids) in the domain to be sure we will retrieve only published membership (otherwise it would crash in the sort below).
This commit is contained in:
Martin Trigaux 2014-07-25 10:57:30 +02:00
parent de34d66860
commit 10fce02eb0
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
addons/website_membership/controllers/main.py
View File

@ -50,7 +50,7 @@ class WebsiteMembership(http.Controller):
('partner.website_description', 'ilike', post_name)]
# group by country, based on all customers (base domain)
membership_line_ids = membership_line_obj.search(cr, uid, base_line_domain, context=context)
membership_line_ids = membership_line_obj.search(cr, SUPERUSER_ID, base_line_domain, context=context)
countries = partner_obj.read_group(
cr, uid, [('member_lines', 'in', membership_line_ids), ("website_published", "=", True)], ["id", "country_id"],
groupby="country_id", orderby="country_id", context=request.context)
@ -72,8 +72,14 @@ class WebsiteMembership(http.Controller):
'country_id': (0, _("All Countries"))
})
# format domain for group_by and memberships
membership_ids = product_obj.search(cr, uid, [('membership', '=', True)], order="website_sequence", context=context)
memberships = product_obj.browse(cr, uid, membership_ids, context=context)
# make sure we don't access to lines with unpublished membershipts
line_domain.append(('membership_id', 'in', membership_ids))
# displayed membership lines
membership_line_ids = membership_line_obj.search(cr, uid, line_domain, context=context)
membership_line_ids = membership_line_obj.search(cr, SUPERUSER_ID, line_domain, context=context)
membership_lines = membership_line_obj.browse(cr, uid, membership_line_ids, context=context)
membership_lines.sort(key=lambda x: x.membership_id.website_sequence)
partner_ids = [m.partner and m.partner.id for m in membership_lines]
@ -83,10 +89,6 @@ class WebsiteMembership(http.Controller):
for partner in partner_obj.read(cr, openerp.SUPERUSER_ID, partner_ids, request.website.get_partner_white_list_fields(), context=context):
partners_data[partner.get("id")] = partner
# format domain for group_by and memberships
membership_ids = product_obj.search(cr, uid, [('membership', '=', True)], order="website_sequence", context=context)
memberships = product_obj.browse(cr, uid, membership_ids, context=context)
# request pager for lines
pager = request.website.pager(url="/members/", total=len(membership_line_ids), page=page, step=self._references_per_page, scope=7, url_args=post)