[FIX] website_forum: check karma access on direct message edit/unlink too
Access rights on messages are derived from the access rights on the documents they are attached to. Due to the karma-based nature of the forum access rights, these do not automatically reflect on messages, because they are not implemented as access rules. The check_mail_message_access() needs to be overriden to achieve the same effect. + allow calling super().check_mail_message_access() from new API (useful in forward-port)
This commit is contained in:
parent
37959d45f3
commit
6377699c44
|
@ -589,6 +589,7 @@ class mail_thread(osv.AbstractModel):
|
||||||
ir_attachment_obj.unlink(cr, uid, attach_ids, context=context)
|
ir_attachment_obj.unlink(cr, uid, attach_ids, context=context)
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
@api.cr_uid_ids_context
|
||||||
def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
|
def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
|
||||||
""" mail.message check permission rules for related document. This method is
|
""" mail.message check permission rules for related document. This method is
|
||||||
meant to be inherited in order to implement addons-specific behavior.
|
meant to be inherited in order to implement addons-specific behavior.
|
||||||
|
|
|
@ -387,6 +387,14 @@ class Post(osv.Model):
|
||||||
self.pool['res.users'].add_karma(cr, SUPERUSER_ID, [uid], post.forum_id.karma_gen_question_new, context=context)
|
self.pool['res.users'].add_karma(cr, SUPERUSER_ID, [uid], post.forum_id.karma_gen_question_new, context=context)
|
||||||
return post_id
|
return post_id
|
||||||
|
|
||||||
|
def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
|
||||||
|
for post in self.browse(cr, uid, mids, context=context):
|
||||||
|
# Make sure only author or moderator can edit/delete messages
|
||||||
|
if operation in ('write', 'unlink') and not post.can_edit:
|
||||||
|
raise KarmaError('Not enough karma to edit a post.')
|
||||||
|
return super(Post, self).check_mail_message_access(
|
||||||
|
cr, uid, mids, operation, model_obj=model_obj, context=context)
|
||||||
|
|
||||||
def write(self, cr, uid, ids, vals, context=None):
|
def write(self, cr, uid, ids, vals, context=None):
|
||||||
posts = self.browse(cr, uid, ids, context=context)
|
posts = self.browse(cr, uid, ids, context=context)
|
||||||
if 'state' in vals:
|
if 'state' in vals:
|
||||||
|
|
Loading…
Reference in New Issue