[FIX] document: apply security rules documented on doc/access_permissions.rst. (opw #592652)

bzr revid: mat@openerp.com-20130722133615-wniqec4k60ssw4ui
2013-07-22 15:36:15 +02:00 · 2013-07-22 15:36:15 +02:00 · 1edc9e6551
parent f37c21ba83 8ffa0fec98
commit 1edc9e6551
1 changed files with 8 additions and 5 deletions
--- a/addons/document/document.py
+++ b/addons/document/document.py
@ -69,11 +69,14 @@ class document_file(osv.osv):
    ]

    def check(self, cr, uid, ids, mode, context=None, values=None):
-        """Check access wrt. res_model, relax the rule of ir.attachment parent
-        With 'document' installed, everybody will have access to attachments of
-        any resources they can *read*.
-        """
-        return super(document_file, self).check(cr, uid, ids, mode='read', context=context, values=values)
+        """Overwrite check to verify access on directory to validate specifications of doc/access_permissions.rst"""
+        super(document_file, self).check(cr, uid, ids, mode, context=context, values=values)
+        if ids:
+            self.pool.get('ir.model.access').check(cr, uid, 'document.directory', mode)
+
+            # use SQL to avoid recursive loop on read
+            cr.execute('SELECT DISTINCT parent_id from ir_attachment WHERE id in %s AND parent_id is not NULL', (tuple(ids),))
+            self.pool.get('document.directory').check_access_rule(cr, uid, [parent_id for (parent_id,) in cr.fetchall()], mode, context=context)

    def search(self, cr, uid, args, offset=0, limit=None, order=None, context=None, count=False):
        # Grab ids, bypassing 'count'