From ff0ab6426a116bb504188764f76b63e4387279b7 Mon Sep 17 00:00:00 2001 From: Christophe Simonis Date: Wed, 13 Aug 2014 11:12:20 +0200 Subject: [PATCH 01/11] [FIX] web_graph : display the corresponding label for selection fields in graph view --- addons/web_graph/static/src/js/pivot_table.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/addons/web_graph/static/src/js/pivot_table.js b/addons/web_graph/static/src/js/pivot_table.js index 086e7205990..b842b00f00d 100644 --- a/addons/web_graph/static/src/js/pivot_table.js +++ b/addons/web_graph/static/src/js/pivot_table.js @@ -423,14 +423,15 @@ openerp.web_graph.PivotTable = openerp.web.Class.extend({ attrs.value = [attrs.value]; } attrs.value = _.range(grouped_on.length).map(function (i) { + var grp = grouped_on[i], + field = self.fields[grp]; if (attrs.value[i] === false) { return _t('Undefined'); } else if (attrs.value[i] instanceof Array) { return attrs.value[i][1]; - }else if (grouped_on && self.fields[grouped_on].type === 'selection'){ - var selection = self.fields[grouped_on].selection; - var value_lookup = _.where(selection, {0:attrs.value[i]}); - return value_lookup ? value_lookup[0][1] : _t('Undefined'); + } else if (field && field.type === 'selection') { + var selected = _.where(field.selection, {0: attrs.value[i]})[0]; + return selected ? selected[1] : attrs.value[i]; } return attrs.value[i]; }); From 18fe7abcc64093800238d8261673d146af6bc6c6 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 13 Aug 2014 11:45:59 +0200 Subject: [PATCH 02/11] [FIX] account_followup: avoid crashing when a move line has no ref --- addons/account_followup/account_followup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/account_followup/account_followup.py b/addons/account_followup/account_followup.py index 0e3cd0ac5f7..f05d6fc2ab5 100644 --- a/addons/account_followup/account_followup.py +++ b/addons/account_followup/account_followup.py @@ -273,7 +273,7 @@ class res_partner(osv.osv): if date <= current_date and aml['balance'] > 0: strbegin = "" strend = "" - followup_table +="" + strbegin + str(aml['date']) + strend + strbegin + aml['name'] + strend + strbegin + aml['ref'] + strend + strbegin + str(date) + strend + strbegin + str(aml['balance']) + strend + strbegin + block + strend + "" + followup_table +="" + strbegin + str(aml['date']) + strend + strbegin + aml['name'] + strend + strbegin + (aml['ref'] or '') + strend + strbegin + str(date) + strend + strbegin + str(aml['balance']) + strend + strbegin + block + strend + "" total = rml_parse.formatLang(total, dp='Account', currency_obj=currency) followup_table += ''' From f2788afe92ebe3f823e2a2cfa58ccb68bc9d3eea Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 13 Aug 2014 11:50:04 +0200 Subject: [PATCH 03/11] [FIX] portal_sale: browse data for payment acquirer form with superuser ID The payment form needs to be rendered for non-employee users, and may require accessing extra financial data not available for those users. --- addons/portal_sale/portal_sale.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/addons/portal_sale/portal_sale.py b/addons/portal_sale/portal_sale.py index 49624671f98..d5b38b9c57e 100644 --- a/addons/portal_sale/portal_sale.py +++ b/addons/portal_sale/portal_sale.py @@ -20,6 +20,7 @@ ############################################################################## from openerp.osv import osv, fields +from openerp import SUPERUSER_ID class sale_order(osv.Model): @@ -35,7 +36,7 @@ class sale_order(osv.Model): def _portal_payment_block(self, cr, uid, ids, fieldname, arg, context=None): result = dict.fromkeys(ids, False) payment_acquirer = self.pool.get('portal.payment.acquirer') - for this in self.browse(cr, uid, ids, context=context): + for this in self.browse(cr, SUPERUSER_ID, ids, context=context): if this.state not in ('draft', 'cancel') and not this.invoiced: result[this.id] = payment_acquirer.render_payment_block(cr, uid, this, this.name, this.pricelist_id.currency_id, this.amount_total, context=context) From 6b8af73179d40b1df7f229ff03e791514b3b45bb Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 13 Aug 2014 12:38:38 +0200 Subject: [PATCH 04/11] [FIX] account.invoice: payments can never be shown to portal users, but residual might be needed The residual amount is typically needed to render the online payment forms (payment acquirers). Payments on the other hand rely on account.move.line, something that portal users should never be allowed to read. Removing the field from the view by setting a model-level group permission ensures they will not see an error. --- addons/account/account_invoice.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/addons/account/account_invoice.py b/addons/account/account_invoice.py index 7677c212781..6c938e22f17 100644 --- a/addons/account/account_invoice.py +++ b/addons/account/account_invoice.py @@ -24,7 +24,7 @@ from lxml import etree import openerp.addons.decimal_precision as dp import openerp.exceptions -from openerp import netsvc +from openerp import netsvc, SUPERUSER_ID from openerp import pooler from openerp.osv import fields, osv, orm from openerp.tools.translate import _ @@ -101,7 +101,7 @@ class account_invoice(osv.osv): ctx = context.copy() result = {} currency_obj = self.pool.get('res.currency') - for invoice in self.browse(cr, uid, ids, context=context): + for invoice in self.browse(cr, SUPERUSER_ID, ids, context=context): nb_inv_in_partial_rec = max_invoice_id = 0 result[invoice.id] = 0.0 if invoice.move_id: @@ -322,7 +322,7 @@ class account_invoice(osv.osv): 'account.move.reconcile': (_get_invoice_from_reconcile, None, 50), }, help="Remaining amount due."), - 'payment_ids': fields.function(_compute_lines, relation='account.move.line', type="many2many", string='Payments'), + 'payment_ids': fields.function(_compute_lines, relation='account.move.line', type="many2many", string='Payments', groups='base.group_user'), 'move_name': fields.char('Journal Entry', size=64, readonly=True, states={'draft':[('readonly',False)]}), 'user_id': fields.many2one('res.users', 'Salesperson', readonly=True, track_visibility='onchange', states={'draft':[('readonly',False)]}), 'fiscal_position': fields.many2one('account.fiscal.position', 'Fiscal Position', readonly=True, states={'draft':[('readonly',False)]}) From 7aa0376f3ec6e7e8bf1c4fb6fb5581a6f18f985e Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 13 Aug 2014 13:26:22 +0200 Subject: [PATCH 05/11] [FIX] gamification: prohibitive record rule processing with many users/goals Due to the multi-company record rule on gamification.goal, each access to the Goals menu and each opening of the Messaging menu (thus calling get_serialised_gamification_summary()) is extremely slow (with several thousands goals/users). Adding auto_join to the user_id FK on goals makes it much faster. However it causes crashes when reading the table because the _order of gamification.goal uses `create_date`, which becomes ambiguous after the auto_join with res_users. Solving this can be done by re-implementing _read_flat() in the ORM using the internal Query object, as in search(), which takes care of fully-qualifying all column names. Until this is fixed, a simple workaround is to use start_date in the _order instead of collision-prone `create_date`. --- addons/gamification/models/goal.py | 4 ++-- openerp/osv/orm.py | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/addons/gamification/models/goal.py b/addons/gamification/models/goal.py index 44071a526b4..58aebbc5583 100644 --- a/addons/gamification/models/goal.py +++ b/addons/gamification/models/goal.py @@ -187,7 +187,7 @@ class gamification_goal(osv.Model): _columns = { 'definition_id': fields.many2one('gamification.goal.definition', string='Goal Definition', required=True, ondelete="cascade"), - 'user_id': fields.many2one('res.users', string='User', required=True), + 'user_id': fields.many2one('res.users', string='User', required=True, auto_join=True), 'line_id': fields.many2one('gamification.challenge.line', string='Goal Line', ondelete="cascade"), 'challenge_id': fields.related('line_id', 'challenge_id', string="Challenge", @@ -231,7 +231,7 @@ class gamification_goal(osv.Model): 'state': 'draft', 'start_date': fields.date.today, } - _order = 'create_date desc, end_date desc, definition_id, id' + _order = 'start_date desc, end_date desc, definition_id, id' def _check_remind_delay(self, cr, uid, goal, context=None): """Verify if a goal has not been updated for some time and send a diff --git a/openerp/osv/orm.py b/openerp/osv/orm.py index cf73a69f376..bcb00994f4b 100644 --- a/openerp/osv/orm.py +++ b/openerp/osv/orm.py @@ -3347,6 +3347,11 @@ class BaseModel(object): return 'length(%s) as "%s"' % (f_qual, f) return f_qual + # FIXME: The query construction needs to be rewritten using the internal Query + # object, as in search(), to avoid ambiguous column references when + # reading/sorting on a table that is auto_joined to another table with + # common columns (e.g. the magical columns) + # Construct a clause for the security rules. # 'tables' hold the list of tables necessary for the SELECT including the ir.rule clauses, # or will at least contain self._table. From 8276fb585371e78a500d57ff61f23ce10db24e9c Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Wed, 13 Aug 2014 14:52:01 +0200 Subject: [PATCH 06/11] [FIX] export: add the context in the export In some cases, the data dispalyed in a list depends on the context This context needs to be passed to the export method, so the exported data reflects correctly the data from the list view --- addons/web/controllers/main.py | 8 +++++--- addons/web/static/src/js/data_export.js | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py index d55e7ad0270..584bb3e35b5 100644 --- a/addons/web/controllers/main.py +++ b/addons/web/controllers/main.py @@ -1606,16 +1606,18 @@ class ExportFormat(object): @openerpweb.httprequest def index(self, req, data, token): + params = simplejson.loads(data) model, fields, ids, domain, import_compat = \ operator.itemgetter('model', 'fields', 'ids', 'domain', 'import_compat')( - simplejson.loads(data)) + params) Model = req.session.model(model) - ids = ids or Model.search(domain, 0, False, False, req.context) + context = dict(req.context or {}, **params.get('context', {})) + ids = ids or Model.search(domain, 0, False, False, context) field_names = map(operator.itemgetter('name'), fields) - import_data = Model.export_data(ids, field_names, req.context).get('datas',[]) + import_data = Model.export_data(ids, field_names, context).get('datas',[]) if import_compat: columns_headers = field_names diff --git a/addons/web/static/src/js/data_export.js b/addons/web/static/src/js/data_export.js index 7a57899a963..be8fb9628f1 100644 --- a/addons/web/static/src/js/data_export.js +++ b/addons/web/static/src/js/data_export.js @@ -389,6 +389,7 @@ instance.web.DataExport = instance.web.Dialog.extend({ fields: exported_fields, ids: ids_to_export, domain: this.dataset.domain, + context: this.dataset.context, import_compat: !!this.$el.find("#import_compat").val(), })}, complete: instance.web.unblockUI, From 7f88681186b3870262ccbebdc9db1f8bbf2ae838 Mon Sep 17 00:00:00 2001 From: Samus CTO Date: Wed, 13 Aug 2014 14:43:53 +0200 Subject: [PATCH 07/11] [FIX] context_timestamp MUST return a "timezone aware" timestamp --- openerp/osv/fields.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openerp/osv/fields.py b/openerp/osv/fields.py index 040548ec7cc..ee0ea8fa23a 100644 --- a/openerp/osv/fields.py +++ b/openerp/osv/fields.py @@ -356,17 +356,16 @@ class datetime(_column): else: registry = openerp.modules.registry.RegistryManager.get(cr.dbname) tz_name = registry.get('res.users').read(cr, SUPERUSER_ID, uid, ['tz'])['tz'] + utc_timestamp = pytz.utc.localize(timestamp, is_dst=False) # UTC = no DST if tz_name: try: - utc = pytz.timezone('UTC') context_tz = pytz.timezone(tz_name) - utc_timestamp = utc.localize(timestamp, is_dst=False) # UTC = no DST return utc_timestamp.astimezone(context_tz) except Exception: _logger.debug("failed to compute context/client-specific timestamp, " "using the UTC value", exc_info=True) - return timestamp + return utc_timestamp class binary(_column): _type = 'binary' From 1a7c8953fed8de2cbd1eb0245935d2e0b9f4146a Mon Sep 17 00:00:00 2001 From: Samus CTO Date: Wed, 13 Aug 2014 14:45:38 +0200 Subject: [PATCH 08/11] [IMP] calculating nextcall datetime of a cron SHOULD use the cron's user --- openerp/addons/base/ir/ir_cron.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openerp/addons/base/ir/ir_cron.py b/openerp/addons/base/ir/ir_cron.py index cfabd97fb16..3bcc00f326a 100644 --- a/openerp/addons/base/ir/ir_cron.py +++ b/openerp/addons/base/ir/ir_cron.py @@ -150,8 +150,8 @@ class ir_cron(osv.osv): must not be committed/rolled back! """ try: - now = fields.datetime.context_timestamp(job_cr, SUPERUSER_ID, datetime.now()) - nextcall = fields.datetime.context_timestamp(job_cr, SUPERUSER_ID, datetime.strptime(job['nextcall'], DEFAULT_SERVER_DATETIME_FORMAT)) + now = fields.datetime.context_timestamp(job_cr, job['user_id'], datetime.now()) + nextcall = fields.datetime.context_timestamp(job_cr, job['user_id'], datetime.strptime(job['nextcall'], DEFAULT_SERVER_DATETIME_FORMAT)) numbercall = job['numbercall'] ok = False From bceb278199543dd9ed3fc00b76ef04a30786f19e Mon Sep 17 00:00:00 2001 From: Martin Trigaux Date: Wed, 13 Aug 2014 14:59:37 +0200 Subject: [PATCH 09/11] [FIX] base: revert 19e401a for title on res.partner form The title of the partner is restricted with a context that will change in the onchange_type. Having twice the same field will not work well. Remove the invisible attribute as the domain is handled by the domain. --- openerp/addons/base/res/res_partner_view.xml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/openerp/addons/base/res/res_partner_view.xml b/openerp/addons/base/res/res_partner_view.xml index 5f4cd26bbd7..5fa95114d50 100644 --- a/openerp/addons/base/res/res_partner_view.xml +++ b/openerp/addons/base/res/res_partner_view.xml @@ -31,7 +31,6 @@ - @@ -180,8 +179,7 @@ - - + From d03ae8980a045da4eff9edf53fd716641cdb0077 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 13 Aug 2014 15:15:29 +0200 Subject: [PATCH 10/11] [FIX] portal_sale: remove un-necessary access rights, improve rules Portal access rights need to be associated with security rules, or not granted at all, as soon as they grant access to non-trivial data. --- .../portal_sale/security/ir.model.access.csv | 8 -------- .../portal_sale/security/portal_security.xml | 19 +++++++++++++++++-- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/addons/portal_sale/security/ir.model.access.csv b/addons/portal_sale/security/ir.model.access.csv index c73be67e8c9..445f1438fb8 100644 --- a/addons/portal_sale/security/ir.model.access.csv +++ b/addons/portal_sale/security/ir.model.access.csv @@ -7,15 +7,7 @@ access_account_invoice_line,account.invoice.line,account.model_account_invoice_l access_account_journal,account.journal,account.model_account_journal,portal.group_portal,1,0,0,0 access_account_voucher,account.voucher,account_voucher.model_account_voucher,portal.group_portal,1,0,0,0 access_account_voucher_line,account.voucher.line,account_voucher.model_account_voucher_line,portal.group_portal,1,0,0,0 -access_account_move,account.move,account.model_account_move,portal.group_portal,1,0,0,0 -access_account_move_line,account.move.line,account.model_account_move_line,portal.group_portal,1,0,0,0 -access_account_move_reconcile,account.move.reconcile,account.model_account_move_reconcile,portal.group_portal,1,0,0,0 -access_account_fiscalyear,account.sequence.fiscalyear,account.model_account_sequence_fiscalyear,portal.group_portal,1,0,0,0 access_sale_shop,sale.shop,sale.model_sale_shop,portal.group_portal,1,0,0,0 -access_product_list,product.pricelist,product.model_product_pricelist,portal.group_portal,1,0,0,0 access_res_partner,res.partner,base.model_res_partner,portal.group_portal,1,0,0,0 access_account_tax,account.tax,account.model_account_tax,portal.group_portal,1,0,0,0 -access_account_fiscalyear,account.fiscalyear,account.model_account_fiscalyear,portal.group_portal,1,0,0,0 access_res_partner_category,res.partner.category,base.model_res_partner_category,portal.group_portal,1,0,0,0 -access_account_period,account.period,account.model_account_period,portal.group_portal,1,0,0,0 -access_account_account,account.account,account.model_account_account,portal.group_portal,1,0,0,0 diff --git a/addons/portal_sale/security/portal_security.xml b/addons/portal_sale/security/portal_security.xml index 428474487fe..32001feef77 100644 --- a/addons/portal_sale/security/portal_security.xml +++ b/addons/portal_sale/security/portal_security.xml @@ -18,7 +18,7 @@ their documents through the portal. Portal Personal Quotations/Sales Orders - [('message_follower_ids','in',[user.partner_id.id])] + [('message_follower_ids','child_of',[user.partner_id.id])] @@ -26,10 +26,25 @@ their documents through the portal. + + Portal Sales Orders Line + + [('order_id.message_follower_ids','child_of',[user.partner_id.id])] + + + + Portal Personal Account Invoices - [('message_follower_ids','in',[user.partner_id.id])] + [('message_follower_ids','child_of',[user.partner_id.id])] + + + + + Portal Invoice Lines + + [('invoice_id.message_follower_ids','child_of',[user.partner_id.id])] From 23cffab1f8cab7f456df56e6f1b002f4fa9b2ef0 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 13 Aug 2014 17:20:49 +0200 Subject: [PATCH 11/11] [FIX] portal_sale: remove more access rights, add pricelist access Pricelist access is necessary for being able to read the unit price of sale order lines, and does not pose major security risks, as it does not permit reading the actual pricelist definition. --- addons/portal_sale/security/ir.model.access.csv | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/addons/portal_sale/security/ir.model.access.csv b/addons/portal_sale/security/ir.model.access.csv index 445f1438fb8..6e75cb1a711 100644 --- a/addons/portal_sale/security/ir.model.access.csv +++ b/addons/portal_sale/security/ir.model.access.csv @@ -5,9 +5,8 @@ access_account_invoice,account.invoice,account.model_account_invoice,portal.grou access_account_invoice_tax,account.invoice.tax,account.model_account_invoice_tax,portal.group_portal,1,0,0,0 access_account_invoice_line,account.invoice.line,account.model_account_invoice_line,portal.group_portal,1,0,0,0 access_account_journal,account.journal,account.model_account_journal,portal.group_portal,1,0,0,0 -access_account_voucher,account.voucher,account_voucher.model_account_voucher,portal.group_portal,1,0,0,0 -access_account_voucher_line,account.voucher.line,account_voucher.model_account_voucher_line,portal.group_portal,1,0,0,0 access_sale_shop,sale.shop,sale.model_sale_shop,portal.group_portal,1,0,0,0 +access_product_list,product.pricelist,product.model_product_pricelist,portal.group_portal,1,0,0,0 access_res_partner,res.partner,base.model_res_partner,portal.group_portal,1,0,0,0 access_account_tax,account.tax,account.model_account_tax,portal.group_portal,1,0,0,0 -access_res_partner_category,res.partner.category,base.model_res_partner_category,portal.group_portal,1,0,0,0 +access_res_partner_category,res.partner.category,base.model_res_partner_category,portal.group_portal,1,0,0,0 \ No newline at end of file