Merge pull request #1076 from xmo-odoo/8.0-shop-fix-xmo
Fix access rights issues in new API for the shop home page
This commit is contained in:
commit
16d67445da
|
@ -1567,6 +1567,12 @@ class calendar_event(osv.Model):
|
|||
select = [ids]
|
||||
else:
|
||||
select = ids
|
||||
|
||||
# FIXME: find a better way to not push virtual ids in the cache
|
||||
# (leading to their prefetching and ultimately a type error when
|
||||
# postgres tries to convert '14-3489274297' to an integer)
|
||||
self.invalidate_cache(cr, uid, context=context)
|
||||
|
||||
select = map(lambda x: (x, calendar_id2real_id(x)), select)
|
||||
result = []
|
||||
real_data = super(calendar_event, self).read(cr, uid, [real_id for calendar_id, real_id in select], fields=fields2, context=context, load=load)
|
||||
|
|
|
@ -8,7 +8,7 @@ access_product_packaging_user,product.packaging.user,model_product_packaging,bas
|
|||
access_product_supplierinfo_user,product.supplierinfo.user,model_product_supplierinfo,base.group_user,1,0,0,0
|
||||
access_pricelist_partnerinfo_user,pricelist.partnerinfo.user,model_pricelist_partnerinfo,base.group_user,1,0,0,0
|
||||
access_product_price_type_user,product.price.type.user,model_product_price_type,base.group_user,1,0,0,0
|
||||
access_product_pricelist_type_user,product.pricelist.type.user,model_product_pricelist_type,base.group_user,1,0,0,0
|
||||
access_product_pricelist_type_user,product.pricelist.type.user,model_product_pricelist_type,,1,0,0,0
|
||||
access_product_pricelist_user,product.pricelist.user,model_product_pricelist,base.group_user,1,0,0,0
|
||||
access_product_pricelist_version_user,product.pricelist.version.user,model_product_pricelist_version,base.group_user,1,0,0,0
|
||||
access_product_pricelist_item_user,product.pricelist.item.user,model_product_pricelist_item,base.group_user,1,0,0,0
|
||||
|
|
|
|
@ -0,0 +1,2 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
import models
|
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
'name': 'test of access rights and rules',
|
||||
'description': "Testing of access restrictions",
|
||||
'version': '0.0.1',
|
||||
'data': ['ir.model.access.csv'],
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
|
||||
access_test_access_right_some_obj,access_test_access_right_some_obj,model_test_access_right_some_obj,,1,1,1,1
|
|
|
@ -0,0 +1,6 @@
|
|||
from openerp import fields, models
|
||||
|
||||
class SomeObj(models.Model):
|
||||
_name = 'test_access_right.some_obj'
|
||||
|
||||
val = fields.Integer()
|
|
@ -0,0 +1 @@
|
|||
import test_ir_rules
|
|
@ -0,0 +1,33 @@
|
|||
import openerp.exceptions
|
||||
from openerp.tests.common import TransactionCase
|
||||
|
||||
class TestRules(TransactionCase):
|
||||
def setUp(self):
|
||||
super(TestRules, self).setUp()
|
||||
|
||||
self.id1 = self.env['test_access_right.some_obj']\
|
||||
.create({'val': 1}).id
|
||||
self.id2 = self.env['test_access_right.some_obj']\
|
||||
.create({'val': -1}).id
|
||||
# create a global rule forbidding access to records with a negative
|
||||
# (or zero) val
|
||||
self.env['ir.rule'].create({
|
||||
'name': 'Forbid negatives',
|
||||
'model_id': self.browse_ref('test_access_rights.model_test_access_right_some_obj').id,
|
||||
'domain_force': "[('val', '>', 0)]"
|
||||
})
|
||||
|
||||
def test_basic_access(self):
|
||||
env = self.env(user=self.browse_ref('base.public_user'))
|
||||
|
||||
# put forbidden record in cache
|
||||
browse2 = env['test_access_right.some_obj'].browse(self.id2)
|
||||
# this is the one we want
|
||||
browse1 = env['test_access_right.some_obj'].browse(self.id1)
|
||||
|
||||
# this should not blow up
|
||||
self.assertEqual(browse1.val, 1)
|
||||
|
||||
# but this should
|
||||
with self.assertRaises(openerp.exceptions.AccessError):
|
||||
self.assertEqual(browse2.val, -1)
|
|
@ -3102,10 +3102,10 @@ class BaseModel(object):
|
|||
instance) for `self` in cache.
|
||||
"""
|
||||
# fetch the records of this model without field_name in their cache
|
||||
records = self._in_cache_without(field)
|
||||
records = self
|
||||
|
||||
# by default, simply fetch field
|
||||
fnames = set((field.name,))
|
||||
fnames = {field.name}
|
||||
|
||||
if self.pool._init:
|
||||
# columns may be missing from database, do not prefetch other fields
|
||||
|
@ -3124,12 +3124,11 @@ class BaseModel(object):
|
|||
|
||||
# fetch records with read()
|
||||
assert self in records and field.name in fnames
|
||||
result = []
|
||||
try:
|
||||
result = records.read(list(fnames), load='_classic_write')
|
||||
except AccessError as e:
|
||||
# update cache with the exception
|
||||
records._cache[field] = FailedValue(e)
|
||||
result = []
|
||||
except AccessError:
|
||||
pass
|
||||
|
||||
# check the cache, and update it if necessary
|
||||
if field not in self._cache:
|
||||
|
@ -3177,8 +3176,16 @@ class BaseModel(object):
|
|||
'order': self._parent_order or self._order,
|
||||
}
|
||||
|
||||
empty = self.browse()
|
||||
prefetch = set()
|
||||
todo = set()
|
||||
for field in (self._fields[name] for name in field_names):
|
||||
prefetch.update(self._in_cache_without(field).ids)
|
||||
todo.update(self.env.todo.get(field, empty).ids)
|
||||
records = self.browse(prefetch - todo)
|
||||
|
||||
result = []
|
||||
for sub_ids in cr.split_for_in_conditions(self.ids):
|
||||
for sub_ids in cr.split_for_in_conditions(records.ids):
|
||||
cr.execute(query, [tuple(sub_ids)] + rule_params)
|
||||
result.extend(cr.dictfetchall())
|
||||
|
||||
|
@ -3251,9 +3258,9 @@ class BaseModel(object):
|
|||
|
||||
# store failed values in cache for the records that could not be read
|
||||
fetched = self.browse(ids)
|
||||
missing = self - fetched
|
||||
missing = records - fetched
|
||||
if missing:
|
||||
extras = fetched - self
|
||||
extras = fetched - records
|
||||
if extras:
|
||||
raise AccessError(
|
||||
_("Database fetch misses ids ({}) and has extra ids ({}), may be caused by a type incoherence in a previous request").format(
|
||||
|
|
Loading…
Reference in New Issue