[FIX] security: res.groups should be readable by admins only
This commit is contained in:
parent
72d3697fbc
commit
53582c2ea6
|
@ -22,6 +22,7 @@
|
|||
import logging
|
||||
from urllib import quote as quote
|
||||
|
||||
from openerp import SUPERUSER_ID
|
||||
from openerp.osv import osv, fields
|
||||
from openerp.tools.translate import _
|
||||
from openerp.tools import float_repr
|
||||
|
@ -75,7 +76,7 @@ class acquirer(osv.Model):
|
|||
link = '#action=account.action_account_config'
|
||||
payment_header = _('You can finish the configuration in the <a href="%s">Bank&Cash settings</a>') % link
|
||||
amount = _('No online payment acquirers configured')
|
||||
group_ids = self.pool.get('res.users').browse(cr, uid, uid, context=context).groups_id
|
||||
group_ids = self.pool.get('res.users').browse(cr, SUPERUSER_ID, uid, context=context).groups_id
|
||||
if any(group.is_portal for group in group_ids):
|
||||
return ''
|
||||
else:
|
||||
|
|
|
@ -53,7 +53,6 @@
|
|||
"access_res_currency_group_system","res_currency group_system","model_res_currency","group_system",1,1,1,1
|
||||
"access_res_currency_rate_group_system","res_currency_rate group_system","model_res_currency_rate","group_system",1,1,1,1
|
||||
"access_res_groups_group_erp_manager","res_groups group_erp_manager","model_res_groups","group_erp_manager",1,1,1,1
|
||||
"access_res_groups_group_user","res_groups group_user","model_res_groups",,1,0,0,0
|
||||
"access_res_lang_group_all","res_lang group_all","model_res_lang",,1,0,0,0
|
||||
"access_res_lang_group_user","res_lang group_user","model_res_lang","group_system",1,1,1,1
|
||||
"access_res_partner_group_partner_manager","res_partner group_partner_manager","model_res_partner","group_partner_manager",1,1,1,1
|
||||
|
|
|
Loading…
Reference in New Issue