[FIX] account, point_of_sale: remove force_allow feature due to security issue on opening account cash statement

bzr revid: hmo@tinyerp.com-20101028071827-2nap7ev4f6w8n1fy
2010-10-28 12:48:27 +05:30 · 2010-10-28 12:48:27 +05:30 · 2cf297f028
parent b2dabaed39
commit 2cf297f028
3 changed files with 4 additions and 4 deletions
--- a/addons/account/account_cash_statement.py
+++ b/addons/account/account_cash_statement.py
@ -328,8 +328,7 @@ class account_cash_statement(osv.osv):
        statement_pool = self.pool.get('account.bank.statement')
        for statement in statement_pool.browse(cr, uid, ids, context=context):
            vals = {}
-            force_allow = context.get('force_allow',False)
-            if not force_allow and not self._user_allow(cr, uid, statement.id, context=context):
+            if not self._user_allow(cr, uid, statement.id, context=context):
                raise osv.except_osv(_('Error !'), _('User %s does not have rights to access %s journal !' % (statement.user_id.name, statement.journal_id.name)))

            if statement.name and statement.name == '/':
--- a/addons/account/test/account_cash_statement.yml
+++ b/addons/account/test/account_cash_statement.yml
@ -26,7 +26,7 @@
  I clicked on Open CashBox button to open the cashbox
 -
 !python {model: account.bank.statement}: |
-    self.button_open(cr, uid, [ref("account_bank_statement_1")], {"force_allow":True, "lang": "en_US", "tz": False, "active_model": "account.bank.statement", "active_ids": [ref("account_bank_statement_1")], "active_id": ref("account_bank_statement_1"), })
+    self.button_open(cr, uid, [ref("account_bank_statement_1")], {"lang": "en_US", "tz": False, "active_model": "account.bank.statement", "active_ids": [ref("account_bank_statement_1")], "active_id": ref("account_bank_statement_1"), })

 -
  I check that now bank statement is in the "Open" state
--- a/addons/point_of_sale/account_bank_statement.py
+++ b/addons/point_of_sale/account_bank_statement.py
@ -57,6 +57,7 @@ class account_cash_statement(osv.osv):
        res = False
        uids = []
        statement = self.browse(cr, uid, statement_id, context=context)
+        if (not statement.journal_id.journal_users) and uid == 1: return True
        for user in statement.journal_id.journal_users:
            uids.append(user.id)
        if uid in uids:
@ -93,4 +94,4 @@ class account_cash_statement(osv.osv):

 account_cash_statement()

-# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
+# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4: