From b67eb530b05793af9015492954377921a27c92e7 Mon Sep 17 00:00:00 2001
From: Christophe Simonis <chs@odoo.com>
Date: Thu, 28 Aug 2014 17:17:10 +0200
Subject: [PATCH 1/6] [FIX] hr_holidays: remove now invalid xml attribute
 "model" (introduced by last forward-port)

---
 addons/hr_holidays/security/ir_rule.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/addons/hr_holidays/security/ir_rule.xml b/addons/hr_holidays/security/ir_rule.xml
index 77c98db5d71..fad58b47b28 100644
--- a/addons/hr_holidays/security/ir_rule.xml
+++ b/addons/hr_holidays/security/ir_rule.xml
@@ -13,19 +13,19 @@
 
     <record id="property_rule_holidays_employee_write" model="ir.rule">
         <field name="name">Employee Holidays Create, Write, Unlink</field>
-        <field model="ir.model" name="model_id" ref="model_hr_holidays"/>
+        <field name="model_id" ref="model_hr_holidays"/>
         <field name="domain_force">[('employee_id.user_id','=',user.id), ('state', 'in', ['draft', 'confirm', 'cancel'])]</field>
         <field name="perm_read" eval="False"/>
         <field name="groups" eval="[(4,ref('base.group_user'))]"/>
     </record>
-    
+
     <record id="property_rule_holidays_officer" model="ir.rule">
         <field name="name">Holidays Officer</field>
         <field name="model_id" ref="model_hr_holidays"/>
         <field name="domain_force">[(1,'=',1)]</field>
         <field name="groups" eval="[(4,ref('base.group_hr_user'))]"/>
     </record>
-    
+
     <record id="resource_leaves_officer" model="ir.rule">
         <field name="name">Leaves Officer</field>
         <field name="model_id" ref="model_resource_calendar_leaves"/>

From 4e9f9426c6213e14a7715bdee7210c470932930b Mon Sep 17 00:00:00 2001
From: Christophe Simonis <chs@odoo.com>
Date: Thu, 28 Aug 2014 17:21:54 +0200
Subject: [PATCH 2/6] [FIX] account: use method has_group() instead of browsing
 the group directly.

---
 addons/account/account_invoice.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/addons/account/account_invoice.py b/addons/account/account_invoice.py
index 7b46e9c83a5..068ca15cce7 100644
--- a/addons/account/account_invoice.py
+++ b/addons/account/account_invoice.py
@@ -949,9 +949,7 @@ class account_invoice(osv.osv):
             self.check_tax_lines(cr, uid, inv, compute_taxes, ait_obj)
 
             # I disabled the check_total feature
-            group_check_total_id = self.pool.get('ir.model.data').get_object_reference(cr, uid, 'account', 'group_supplier_inv_check_total')[1]
-            group_check_total = self.pool.get('res.groups').browse(cr, uid, group_check_total_id, context=context)
-            if group_check_total and uid in [x.id for x in group_check_total.users]:
+            if self.pool['res.users'].has_group(cr, uid, 'account.group_supplier_inv_check_total'):
                 if (inv.type in ('in_invoice', 'in_refund') and abs(inv.check_total - inv.amount_total) >= (inv.currency_id.rounding/2.0)):
                     raise osv.except_osv(_('Bad Total!'), _('Please verify the price of the invoice!\nThe encoded total does not match the computed total.'))
 

From f65c9130279cdd03e8bef928036bdff356ea2feb Mon Sep 17 00:00:00 2001
From: Christophe Simonis <chs@odoo.com>
Date: Thu, 28 Aug 2014 18:14:08 +0200
Subject: [PATCH 3/6] [FIX] base: security: employee must have access to
 res.groups

---
 openerp/addons/base/security/ir.model.access.csv | 1 +
 1 file changed, 1 insertion(+)

diff --git a/openerp/addons/base/security/ir.model.access.csv b/openerp/addons/base/security/ir.model.access.csv
index 27333efa20c..cec78a06ecc 100644
--- a/openerp/addons/base/security/ir.model.access.csv
+++ b/openerp/addons/base/security/ir.model.access.csv
@@ -53,6 +53,7 @@
 "access_res_currency_group_system","res_currency group_system","model_res_currency","group_system",1,1,1,1
 "access_res_currency_rate_group_system","res_currency_rate group_system","model_res_currency_rate","group_system",1,1,1,1
 "access_res_groups_group_erp_manager","res_groups group_erp_manager","model_res_groups","group_erp_manager",1,1,1,1
+"access_res_groups_group_user","res_groups group_user","model_res_groups",group_user,1,0,0,0
 "access_res_lang_group_all","res_lang group_all","model_res_lang",,1,0,0,0
 "access_res_lang_group_user","res_lang group_user","model_res_lang","group_system",1,1,1,1
 "access_res_partner_group_partner_manager","res_partner group_partner_manager","model_res_partner","group_partner_manager",1,1,1,1

From 1d9bdb43bf2adc7b6b55b616d65f0a5db44b67dc Mon Sep 17 00:00:00 2001
From: Christophe Simonis <chs@odoo.com>
Date: Thu, 28 Aug 2014 18:32:11 +0200
Subject: [PATCH 4/6] [FIX] mail: read ir.config_parameter with SUPERUSER_ID

---
 addons/mail/mail_message.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/addons/mail/mail_message.py b/addons/mail/mail_message.py
index e54708c77d9..a2d38287062 100644
--- a/addons/mail/mail_message.py
+++ b/addons/mail/mail_message.py
@@ -792,7 +792,7 @@ class mail_message(osv.Model):
         email_reply_to = None
 
         ir_config_parameter = self.pool.get("ir.config_parameter")
-        catchall_domain = ir_config_parameter.get_param(cr, uid, "mail.catchall.domain", context=context)
+        catchall_domain = ir_config_parameter.get_param(cr, SUPERUSER_ID, "mail.catchall.domain", context=context)
 
         # model, res_id, email_from: comes from values OR related message
         model, res_id, email_from = values.get('model'), values.get('res_id'), values.get('email_from')
@@ -802,7 +802,7 @@ class mail_message(osv.Model):
             email_reply_to = self.pool[model].message_get_reply_to(cr, uid, [res_id], context=context)[0]
         # no alias reply_to -> catchall alias
         if not email_reply_to and catchall_domain:
-            catchall_alias = ir_config_parameter.get_param(cr, uid, "mail.catchall.alias", context=context)
+            catchall_alias = ir_config_parameter.get_param(cr, SUPERUSER_ID, "mail.catchall.alias", context=context)
             if catchall_alias:
                 email_reply_to = '%s@%s' % (catchall_alias, catchall_domain)
         # still no reply_to -> reply_to will be the email_from

From 15ee4d83c937ed8df3c25a46894280a36b48f468 Mon Sep 17 00:00:00 2001
From: Christophe Simonis <chs@odoo.com>
Date: Thu, 28 Aug 2014 19:04:14 +0200
Subject: [PATCH 5/6] [FIX] email_template: remove group restriction on field
 mail.compose.message.template_id

This was added as a security check, but access to this field is need by the wizard itself.
As non employee users can't read/create email templates, this will not be problematic
---
 addons/email_template/wizard/mail_compose_message.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/addons/email_template/wizard/mail_compose_message.py b/addons/email_template/wizard/mail_compose_message.py
index f39cc7f3a90..22bb53beae3 100644
--- a/addons/email_template/wizard/mail_compose_message.py
+++ b/addons/email_template/wizard/mail_compose_message.py
@@ -58,7 +58,7 @@ class mail_compose_message(osv.TransientModel):
 
     _columns = {
         # incredible hack of the day: size=-1 means we want an int db column instead of an str one
-        'template_id': fields.selection(_get_templates, 'Template', size=-1, groups="base.group_user"),
+        'template_id': fields.selection(_get_templates, 'Template', size=-1),
     }
 
     def send_mail(self, cr, uid, ids, context=None):

From 24c25f506c185d2841cef51ffb576ea29eb87221 Mon Sep 17 00:00:00 2001
From: Christophe Simonis <chs@odoo.com>
Date: Fri, 29 Aug 2014 11:12:25 +0200
Subject: [PATCH 6/6] [FIX] website_hr: give public group the right to read
 resource.resource records

---
 addons/website_hr/security/ir.model.access.csv | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/addons/website_hr/security/ir.model.access.csv b/addons/website_hr/security/ir.model.access.csv
index 91c044e1964..6f038a47ba9 100644
--- a/addons/website_hr/security/ir.model.access.csv
+++ b/addons/website_hr/security/ir.model.access.csv
@@ -1,2 +1,3 @@
 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
-access_hr_employee_public,hr.employee.public,hr.model_hr_employee,base.group_public,1,0,0,0
\ No newline at end of file
+access_hr_employee_public,hr.employee.public,hr.model_hr_employee,base.group_public,1,0,0,0
+access_resource_public,resource.resource.public,resource.model_resource_resource,base.group_public,1,0,0,0