[FIX] share: current user restrictions were not properly copied
This could lead to security issues, because shared users could have more access rights than the user sharing the data. The mechanism was working to copy them, but unfortunately not working. bzr revid: odo@openerp.com-20110505170756-ihkkzxy0485t43bd
This commit is contained in:
parent
085bf6d02f
commit
685e29d9d3
|
@ -349,21 +349,21 @@ class share_create(osv.osv_memory):
|
|||
|
||||
def _link_or_copy_current_user_rules(self, cr, current_user, group_id, fields_relations, context=None):
|
||||
rule_obj = self.pool.get('ir.rule')
|
||||
completed_models = set()
|
||||
rules_done = set()
|
||||
for group in current_user.groups_id:
|
||||
for dummy, model in fields_relations:
|
||||
if model.id in completed_models:
|
||||
continue
|
||||
completed_models.add(model.id)
|
||||
for rule in group.rule_groups:
|
||||
if rule.model_id == model.id:
|
||||
if rule.id in rules_done:
|
||||
continue
|
||||
rules_done.add(rule.id)
|
||||
if rule.model_id.id == model.id:
|
||||
if 'user.' in rule.domain_force:
|
||||
# Above pattern means there is likely a condition
|
||||
# specific to current user, so we must copy the rule using
|
||||
# the evaluated version of the domain.
|
||||
# And it's better to copy one time too much than too few
|
||||
rule_obj.copy(cr, UID_ROOT, rule.id, default={
|
||||
'name': '%s (%s)' %(rule.name, _('(Copy for sharing)')),
|
||||
'name': '%s %s' %(rule.name, _('(Copy for sharing)')),
|
||||
'groups': [(6,0,[group_id])],
|
||||
'domain_force': rule.domain, # evaluated version!
|
||||
})
|
||||
|
|
Loading…
Reference in New Issue