[FIX] security: res.groups should be readable by admins only

addons/portal/acquirer.py

@@ -22,6 +22,7 @@
 import logging
 from urllib import quote as quote
 
+from openerp import SUPERUSER_ID
 from openerp.osv import osv, fields
 from openerp.tools.translate import _
 from openerp.tools import float_repr
@@ -75,7 +76,7 @@ class acquirer(osv.Model):
             link = '#action=account.action_account_config'
             payment_header = _('You can finish the configuration in the <a href="%s">Bank&Cash settings</a>') % link
             amount = _('No online payment acquirers configured')
-            group_ids = self.pool.get('res.users').browse(cr, uid, uid, context=context).groups_id
+            group_ids = self.pool.get('res.users').browse(cr, SUPERUSER_ID, uid, context=context).groups_id
             if any(group.is_portal for group in group_ids):
                 return ''
         else:

openerp/addons/base/security/ir.model.access.csv

@@ -53,7 +53,6 @@
 "access_res_currency_group_system","res_currency group_system","model_res_currency","group_system",1,1,1,1
 "access_res_currency_rate_group_system","res_currency_rate group_system","model_res_currency_rate","group_system",1,1,1,1
 "access_res_groups_group_erp_manager","res_groups group_erp_manager","model_res_groups","group_erp_manager",1,1,1,1
-"access_res_groups_group_user","res_groups group_user","model_res_groups",,1,0,0,0
 "access_res_lang_group_all","res_lang group_all","model_res_lang",,1,0,0,0
 "access_res_lang_group_user","res_lang group_user","model_res_lang","group_system",1,1,1,1
 "access_res_partner_group_partner_manager","res_partner group_partner_manager","model_res_partner","group_partner_manager",1,1,1,1