diff --git a/addons/portal/__init__.py b/addons/portal/__init__.py index 0045a557a49..e7026986ea4 100644 --- a/addons/portal/__init__.py +++ b/addons/portal/__init__.py @@ -21,6 +21,7 @@ import portal import mail_mail +import mail_message import wizard import acquirer diff --git a/addons/portal/mail_message.py b/addons/portal/mail_message.py new file mode 100644 index 00000000000..d5acfdf74c1 --- /dev/null +++ b/addons/portal/mail_message.py @@ -0,0 +1,57 @@ +# -*- coding: utf-8 -*- +############################################################################## +# +# OpenERP, Open Source Management Solution +# Copyright (C) 2004-2011 OpenERP S.A (). +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +# +############################################################################## + +from openerp.osv import osv, orm +from openerp.tools.translate import _ + + +class mail_message(osv.Model): + """ Update of mail_message class, to restrict mail access. """ + _inherit = 'mail.message' + + def _search(self, cr, uid, args, offset=0, limit=None, order=None, + context=None, count=False, access_rights_uid=None): + """ Override that adds specific access rights of mail.message, to remove + all internal notes if uid is a non-employee + """ + group_ids = self.pool.get('res.users').browse(cr, uid, uid, context=context).groups_id + group_user_id = self.pool.get("ir.model.data").get_object_reference(cr, uid, 'base', 'group_user')[1] + if group_user_id not in [group.id for group in group_ids]: + args = ['&', '|', ('type', '!=', 'comment'), ('subtype_id', '!=', False)] + list(args) + + return super(mail_message, self)._search(cr, uid, args, offset=offset, limit=limit, order=order, + context=context, count=False, access_rights_uid=access_rights_uid) + + def check_access_rule(self, cr, uid, ids, operation, context=None): + """ Add Access rules of mail.message for non-employee user: + - read: + - raise if the type is comment and subtype NULL (internal note) + """ + group_ids = self.pool.get('res.users').browse(cr, uid, uid, context=context).groups_id + group_user_id = self.pool.get("ir.model.data").get_object_reference(cr, uid, 'base', 'group_user')[1] + if group_user_id not in [group.id for group in group_ids]: + cr.execute('SELECT DISTINCT id FROM "%s" WHERE type = %%s AND subtype_id != NULL AND id = ANY (%%s)' % (self._table), ('comment', ids,)) + if cr.fetchall(): + raise orm.except_orm(_('Access Denied'), + _('The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: %s, Operation: %s)') % \ + (self._description, operation)) + + return super(mail_message, self).check_access_rule(cr, uid, ids=ids, operation=operation, context=context) diff --git a/addons/portal/tests/test_portal.py b/addons/portal/tests/test_portal.py index 03f2491315b..1cfb2aef269 100644 --- a/addons/portal/tests/test_portal.py +++ b/addons/portal/tests/test_portal.py @@ -40,7 +40,9 @@ class test_portal(TestMailBase): self.partner_chell_id = self.user_chell.partner_id.id # Create a PigsPortal group - self.group_port_id = self.mail_group.create(cr, uid, {'name': 'PigsPortal', 'public': 'groups', 'group_public_id': self.group_portal_id}) + self.group_port_id = self.mail_group.create(cr, uid, + {'name': 'PigsPortal', 'public': 'groups', 'group_public_id': self.group_portal_id}, + {'mail_create_nolog': True}) # Set an email address for the user running the tests, used as Sender for outgoing mails self.res_users.write(cr, uid, uid, {'email': 'test@localhost'}) @@ -130,3 +132,21 @@ class test_portal(TestMailBase): 'body of invitation email is incorrect') self.assertTrue(partner_carine.signup_url in sent_email.get('body'), 'body of invitation email does not contain signup url') + + def test_20_message_read(self): + cr, uid, group_port_id = self.cr, self.uid, self.group_port_id + + # Data: custom subtypes + mt_group_public_id = self.mail_message_subtype.create(cr, uid, {'name': 'group_public', 'description': 'Group changed'}) + self.ir_model_data.create(cr, uid, {'name': 'mt_group_public', 'model': 'mail.message.subtype', 'module': 'mail', 'res_id': mt_group_public_id}) + # Data: post messages with various subtypes + msg1_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body1', type='comment', subtype='mail.mt_comment') + msg2_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body2', type='comment', subtype='mail.mt_group_public') + msg3_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body3', type='comment', subtype='mail.mt_comment') + msg4_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body4', type='comment') + msg5_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body5', type='notification') + + # Do: Chell search messages: should not see internal notes (comment without subtype) + msg_ids = self.mail_message.search(cr, self.user_chell_id, [('model', '=', 'mail.group'), ('res_id', '=', group_port_id)]) + self.assertEqual(set(msg_ids), set([msg1_id, msg2_id, msg3_id, msg5_id]), + 'mail_message: portal user has access to messages he should not read')