Merge pull request #1076 from xmo-odoo/8.0-shop-fix-xmo
Fix access rights issues in new API for the shop home page
This commit is contained in:
commit
16d67445da
|
@ -1567,6 +1567,12 @@ class calendar_event(osv.Model):
|
||||||
select = [ids]
|
select = [ids]
|
||||||
else:
|
else:
|
||||||
select = ids
|
select = ids
|
||||||
|
|
||||||
|
# FIXME: find a better way to not push virtual ids in the cache
|
||||||
|
# (leading to their prefetching and ultimately a type error when
|
||||||
|
# postgres tries to convert '14-3489274297' to an integer)
|
||||||
|
self.invalidate_cache(cr, uid, context=context)
|
||||||
|
|
||||||
select = map(lambda x: (x, calendar_id2real_id(x)), select)
|
select = map(lambda x: (x, calendar_id2real_id(x)), select)
|
||||||
result = []
|
result = []
|
||||||
real_data = super(calendar_event, self).read(cr, uid, [real_id for calendar_id, real_id in select], fields=fields2, context=context, load=load)
|
real_data = super(calendar_event, self).read(cr, uid, [real_id for calendar_id, real_id in select], fields=fields2, context=context, load=load)
|
||||||
|
|
|
@ -8,7 +8,7 @@ access_product_packaging_user,product.packaging.user,model_product_packaging,bas
|
||||||
access_product_supplierinfo_user,product.supplierinfo.user,model_product_supplierinfo,base.group_user,1,0,0,0
|
access_product_supplierinfo_user,product.supplierinfo.user,model_product_supplierinfo,base.group_user,1,0,0,0
|
||||||
access_pricelist_partnerinfo_user,pricelist.partnerinfo.user,model_pricelist_partnerinfo,base.group_user,1,0,0,0
|
access_pricelist_partnerinfo_user,pricelist.partnerinfo.user,model_pricelist_partnerinfo,base.group_user,1,0,0,0
|
||||||
access_product_price_type_user,product.price.type.user,model_product_price_type,base.group_user,1,0,0,0
|
access_product_price_type_user,product.price.type.user,model_product_price_type,base.group_user,1,0,0,0
|
||||||
access_product_pricelist_type_user,product.pricelist.type.user,model_product_pricelist_type,base.group_user,1,0,0,0
|
access_product_pricelist_type_user,product.pricelist.type.user,model_product_pricelist_type,,1,0,0,0
|
||||||
access_product_pricelist_user,product.pricelist.user,model_product_pricelist,base.group_user,1,0,0,0
|
access_product_pricelist_user,product.pricelist.user,model_product_pricelist,base.group_user,1,0,0,0
|
||||||
access_product_pricelist_version_user,product.pricelist.version.user,model_product_pricelist_version,base.group_user,1,0,0,0
|
access_product_pricelist_version_user,product.pricelist.version.user,model_product_pricelist_version,base.group_user,1,0,0,0
|
||||||
access_product_pricelist_item_user,product.pricelist.item.user,model_product_pricelist_item,base.group_user,1,0,0,0
|
access_product_pricelist_item_user,product.pricelist.item.user,model_product_pricelist_item,base.group_user,1,0,0,0
|
||||||
|
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
import models
|
|
@ -0,0 +1,6 @@
|
||||||
|
{
|
||||||
|
'name': 'test of access rights and rules',
|
||||||
|
'description': "Testing of access restrictions",
|
||||||
|
'version': '0.0.1',
|
||||||
|
'data': ['ir.model.access.csv'],
|
||||||
|
}
|
|
@ -0,0 +1,2 @@
|
||||||
|
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
|
||||||
|
access_test_access_right_some_obj,access_test_access_right_some_obj,model_test_access_right_some_obj,,1,1,1,1
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
from openerp import fields, models
|
||||||
|
|
||||||
|
class SomeObj(models.Model):
|
||||||
|
_name = 'test_access_right.some_obj'
|
||||||
|
|
||||||
|
val = fields.Integer()
|
|
@ -0,0 +1 @@
|
||||||
|
import test_ir_rules
|
|
@ -0,0 +1,33 @@
|
||||||
|
import openerp.exceptions
|
||||||
|
from openerp.tests.common import TransactionCase
|
||||||
|
|
||||||
|
class TestRules(TransactionCase):
|
||||||
|
def setUp(self):
|
||||||
|
super(TestRules, self).setUp()
|
||||||
|
|
||||||
|
self.id1 = self.env['test_access_right.some_obj']\
|
||||||
|
.create({'val': 1}).id
|
||||||
|
self.id2 = self.env['test_access_right.some_obj']\
|
||||||
|
.create({'val': -1}).id
|
||||||
|
# create a global rule forbidding access to records with a negative
|
||||||
|
# (or zero) val
|
||||||
|
self.env['ir.rule'].create({
|
||||||
|
'name': 'Forbid negatives',
|
||||||
|
'model_id': self.browse_ref('test_access_rights.model_test_access_right_some_obj').id,
|
||||||
|
'domain_force': "[('val', '>', 0)]"
|
||||||
|
})
|
||||||
|
|
||||||
|
def test_basic_access(self):
|
||||||
|
env = self.env(user=self.browse_ref('base.public_user'))
|
||||||
|
|
||||||
|
# put forbidden record in cache
|
||||||
|
browse2 = env['test_access_right.some_obj'].browse(self.id2)
|
||||||
|
# this is the one we want
|
||||||
|
browse1 = env['test_access_right.some_obj'].browse(self.id1)
|
||||||
|
|
||||||
|
# this should not blow up
|
||||||
|
self.assertEqual(browse1.val, 1)
|
||||||
|
|
||||||
|
# but this should
|
||||||
|
with self.assertRaises(openerp.exceptions.AccessError):
|
||||||
|
self.assertEqual(browse2.val, -1)
|
|
@ -3102,10 +3102,10 @@ class BaseModel(object):
|
||||||
instance) for `self` in cache.
|
instance) for `self` in cache.
|
||||||
"""
|
"""
|
||||||
# fetch the records of this model without field_name in their cache
|
# fetch the records of this model without field_name in their cache
|
||||||
records = self._in_cache_without(field)
|
records = self
|
||||||
|
|
||||||
# by default, simply fetch field
|
# by default, simply fetch field
|
||||||
fnames = set((field.name,))
|
fnames = {field.name}
|
||||||
|
|
||||||
if self.pool._init:
|
if self.pool._init:
|
||||||
# columns may be missing from database, do not prefetch other fields
|
# columns may be missing from database, do not prefetch other fields
|
||||||
|
@ -3124,12 +3124,11 @@ class BaseModel(object):
|
||||||
|
|
||||||
# fetch records with read()
|
# fetch records with read()
|
||||||
assert self in records and field.name in fnames
|
assert self in records and field.name in fnames
|
||||||
|
result = []
|
||||||
try:
|
try:
|
||||||
result = records.read(list(fnames), load='_classic_write')
|
result = records.read(list(fnames), load='_classic_write')
|
||||||
except AccessError as e:
|
except AccessError:
|
||||||
# update cache with the exception
|
pass
|
||||||
records._cache[field] = FailedValue(e)
|
|
||||||
result = []
|
|
||||||
|
|
||||||
# check the cache, and update it if necessary
|
# check the cache, and update it if necessary
|
||||||
if field not in self._cache:
|
if field not in self._cache:
|
||||||
|
@ -3177,8 +3176,16 @@ class BaseModel(object):
|
||||||
'order': self._parent_order or self._order,
|
'order': self._parent_order or self._order,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
empty = self.browse()
|
||||||
|
prefetch = set()
|
||||||
|
todo = set()
|
||||||
|
for field in (self._fields[name] for name in field_names):
|
||||||
|
prefetch.update(self._in_cache_without(field).ids)
|
||||||
|
todo.update(self.env.todo.get(field, empty).ids)
|
||||||
|
records = self.browse(prefetch - todo)
|
||||||
|
|
||||||
result = []
|
result = []
|
||||||
for sub_ids in cr.split_for_in_conditions(self.ids):
|
for sub_ids in cr.split_for_in_conditions(records.ids):
|
||||||
cr.execute(query, [tuple(sub_ids)] + rule_params)
|
cr.execute(query, [tuple(sub_ids)] + rule_params)
|
||||||
result.extend(cr.dictfetchall())
|
result.extend(cr.dictfetchall())
|
||||||
|
|
||||||
|
@ -3251,9 +3258,9 @@ class BaseModel(object):
|
||||||
|
|
||||||
# store failed values in cache for the records that could not be read
|
# store failed values in cache for the records that could not be read
|
||||||
fetched = self.browse(ids)
|
fetched = self.browse(ids)
|
||||||
missing = self - fetched
|
missing = records - fetched
|
||||||
if missing:
|
if missing:
|
||||||
extras = fetched - self
|
extras = fetched - records
|
||||||
if extras:
|
if extras:
|
||||||
raise AccessError(
|
raise AccessError(
|
||||||
_("Database fetch misses ids ({}) and has extra ids ({}), may be caused by a type incoherence in a previous request").format(
|
_("Database fetch misses ids ({}) and has extra ids ({}), may be caused by a type incoherence in a previous request").format(
|
||||||
|
|
Loading…
Reference in New Issue