From 10fce02eb0ee8c9eb9fa19c9ab0af8ef19b3ab2e Mon Sep 17 00:00:00 2001
From: Martin Trigaux <mat@openerp.com>
Date: Fri, 25 Jul 2014 10:57:30 +0200
Subject: [PATCH] [FIX] website_membership: access rules fixes

When searching on memberships, we use domain clauses in the format 'partner.x = y' where partner is a many2one to res.partner. The object res.partner has strict security rules for public users and this search will return zero result if not done with SUPERUSER_ID.
In addition, we need to access the list of products (membership_ids) in the domain to be sure we will retrieve only published membership (otherwise it would crash in the sort below).
---
 addons/website_membership/controllers/main.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/addons/website_membership/controllers/main.py b/addons/website_membership/controllers/main.py
index a4932c1b46c..e8787978e43 100644
--- a/addons/website_membership/controllers/main.py
+++ b/addons/website_membership/controllers/main.py
@@ -50,7 +50,7 @@ class WebsiteMembership(http.Controller):
                                       ('partner.website_description', 'ilike', post_name)]
 
         # group by country, based on all customers (base domain)
-        membership_line_ids = membership_line_obj.search(cr, uid, base_line_domain, context=context)
+        membership_line_ids = membership_line_obj.search(cr, SUPERUSER_ID, base_line_domain, context=context)
         countries = partner_obj.read_group(
             cr, uid, [('member_lines', 'in', membership_line_ids), ("website_published", "=", True)], ["id", "country_id"],
             groupby="country_id", orderby="country_id", context=request.context)
@@ -72,8 +72,14 @@ class WebsiteMembership(http.Controller):
             'country_id': (0, _("All Countries"))
         })
 
+        # format domain for group_by and memberships
+        membership_ids = product_obj.search(cr, uid, [('membership', '=', True)], order="website_sequence", context=context)
+        memberships = product_obj.browse(cr, uid, membership_ids, context=context)
+        # make sure we don't access to lines with unpublished membershipts
+        line_domain.append(('membership_id', 'in', membership_ids))
+
         # displayed membership lines
-        membership_line_ids = membership_line_obj.search(cr, uid, line_domain, context=context)
+        membership_line_ids = membership_line_obj.search(cr, SUPERUSER_ID, line_domain, context=context)
         membership_lines = membership_line_obj.browse(cr, uid, membership_line_ids, context=context)
         membership_lines.sort(key=lambda x: x.membership_id.website_sequence)
         partner_ids = [m.partner and m.partner.id for m in membership_lines]
@@ -83,10 +89,6 @@ class WebsiteMembership(http.Controller):
         for partner in partner_obj.read(cr, openerp.SUPERUSER_ID, partner_ids, request.website.get_partner_white_list_fields(), context=context):
             partners_data[partner.get("id")] = partner
 
-        # format domain for group_by and memberships
-        membership_ids = product_obj.search(cr, uid, [('membership', '=', True)], order="website_sequence", context=context)
-        memberships = product_obj.browse(cr, uid, membership_ids, context=context)
-
         # request pager for lines
         pager = request.website.pager(url="/members/", total=len(membership_line_ids), page=page, step=self._references_per_page, scope=7, url_args=post)