[FIX] portal: mail_message: override of _search and check_access_rule of mail_message in order to remove all internal notes if uid is not an employee.
bzr revid: tde@openerp.com-20130514111848-2yktt685f6nhn1r7
This commit is contained in:
commit
259345ba58
|
@ -21,6 +21,7 @@
|
|||
|
||||
import portal
|
||||
import mail_mail
|
||||
import mail_message
|
||||
import wizard
|
||||
import acquirer
|
||||
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
##############################################################################
|
||||
#
|
||||
# OpenERP, Open Source Management Solution
|
||||
# Copyright (C) 2004-2011 OpenERP S.A (<http://www.openerp.com>).
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Affero General Public License as
|
||||
# published by the Free Software Foundation, either version 3 of the
|
||||
# License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Affero General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Affero General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
##############################################################################
|
||||
|
||||
from openerp.osv import osv, orm
|
||||
from openerp.tools.translate import _
|
||||
|
||||
|
||||
class mail_message(osv.Model):
|
||||
""" Update of mail_message class, to restrict mail access. """
|
||||
_inherit = 'mail.message'
|
||||
|
||||
def _search(self, cr, uid, args, offset=0, limit=None, order=None,
|
||||
context=None, count=False, access_rights_uid=None):
|
||||
""" Override that adds specific access rights of mail.message, to remove
|
||||
all internal notes if uid is a non-employee
|
||||
"""
|
||||
group_ids = self.pool.get('res.users').browse(cr, uid, uid, context=context).groups_id
|
||||
group_user_id = self.pool.get("ir.model.data").get_object_reference(cr, uid, 'base', 'group_user')[1]
|
||||
if group_user_id not in [group.id for group in group_ids]:
|
||||
args = ['&', '|', ('type', '!=', 'comment'), ('subtype_id', '!=', False)] + list(args)
|
||||
|
||||
return super(mail_message, self)._search(cr, uid, args, offset=offset, limit=limit, order=order,
|
||||
context=context, count=False, access_rights_uid=access_rights_uid)
|
||||
|
||||
def check_access_rule(self, cr, uid, ids, operation, context=None):
|
||||
""" Add Access rules of mail.message for non-employee user:
|
||||
- read:
|
||||
- raise if the type is comment and subtype NULL (internal note)
|
||||
"""
|
||||
group_ids = self.pool.get('res.users').browse(cr, uid, uid, context=context).groups_id
|
||||
group_user_id = self.pool.get("ir.model.data").get_object_reference(cr, uid, 'base', 'group_user')[1]
|
||||
if group_user_id not in [group.id for group in group_ids]:
|
||||
cr.execute('SELECT DISTINCT id FROM "%s" WHERE type = %%s AND subtype_id != NULL AND id = ANY (%%s)' % (self._table), ('comment', ids,))
|
||||
if cr.fetchall():
|
||||
raise orm.except_orm(_('Access Denied'),
|
||||
_('The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: %s, Operation: %s)') % \
|
||||
(self._description, operation))
|
||||
|
||||
return super(mail_message, self).check_access_rule(cr, uid, ids=ids, operation=operation, context=context)
|
|
@ -40,7 +40,9 @@ class test_portal(TestMailBase):
|
|||
self.partner_chell_id = self.user_chell.partner_id.id
|
||||
|
||||
# Create a PigsPortal group
|
||||
self.group_port_id = self.mail_group.create(cr, uid, {'name': 'PigsPortal', 'public': 'groups', 'group_public_id': self.group_portal_id})
|
||||
self.group_port_id = self.mail_group.create(cr, uid,
|
||||
{'name': 'PigsPortal', 'public': 'groups', 'group_public_id': self.group_portal_id},
|
||||
{'mail_create_nolog': True})
|
||||
|
||||
# Set an email address for the user running the tests, used as Sender for outgoing mails
|
||||
self.res_users.write(cr, uid, uid, {'email': 'test@localhost'})
|
||||
|
@ -130,3 +132,21 @@ class test_portal(TestMailBase):
|
|||
'body of invitation email is incorrect')
|
||||
self.assertTrue(partner_carine.signup_url in sent_email.get('body'),
|
||||
'body of invitation email does not contain signup url')
|
||||
|
||||
def test_20_message_read(self):
|
||||
cr, uid, group_port_id = self.cr, self.uid, self.group_port_id
|
||||
|
||||
# Data: custom subtypes
|
||||
mt_group_public_id = self.mail_message_subtype.create(cr, uid, {'name': 'group_public', 'description': 'Group changed'})
|
||||
self.ir_model_data.create(cr, uid, {'name': 'mt_group_public', 'model': 'mail.message.subtype', 'module': 'mail', 'res_id': mt_group_public_id})
|
||||
# Data: post messages with various subtypes
|
||||
msg1_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body1', type='comment', subtype='mail.mt_comment')
|
||||
msg2_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body2', type='comment', subtype='mail.mt_group_public')
|
||||
msg3_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body3', type='comment', subtype='mail.mt_comment')
|
||||
msg4_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body4', type='comment')
|
||||
msg5_id = self.mail_group.message_post(cr, uid, group_port_id, body='Body5', type='notification')
|
||||
|
||||
# Do: Chell search messages: should not see internal notes (comment without subtype)
|
||||
msg_ids = self.mail_message.search(cr, self.user_chell_id, [('model', '=', 'mail.group'), ('res_id', '=', group_port_id)])
|
||||
self.assertEqual(set(msg_ids), set([msg1_id, msg2_id, msg3_id, msg5_id]),
|
||||
'mail_message: portal user has access to messages he should not read')
|
||||
|
|
Loading…
Reference in New Issue