[FIX] security: externals should be able to read attachements

without having the rights to read ir.config_parameter
2014-08-26 12:55:48 +02:00 · 2014-08-26 12:55:48 +02:00 · 72d3697fbc
parent 80017b04c2
commit 72d3697fbc
1 changed files with 3 additions and 3 deletions
--- a/openerp/addons/base/ir/ir_attachment.py
+++ b/openerp/addons/base/ir/ir_attachment.py
@ -121,7 +121,7 @@ class ir_attachment(osv.osv):
        if context is None:
            context = {}
        result = {}
-        location = self.pool.get('ir.config_parameter').get_param(cr, uid, 'ir_attachment.location')
+        location = self.pool.get('ir.config_parameter').get_param(cr, SUPERUSER_ID, 'ir_attachment.location')
        bin_size = context.get('bin_size')
        for attach in self.browse(cr, uid, ids, context=context):
            if location and attach.store_fname:
@ -136,7 +136,7 @@ class ir_attachment(osv.osv):
            return True
        if context is None:
            context = {}
-        location = self.pool.get('ir.config_parameter').get_param(cr, uid, 'ir_attachment.location')
+        location = self.pool.get('ir.config_parameter').get_param(cr, SUPERUSER_ID, 'ir_attachment.location')
        file_size = len(value.decode('base64'))
        if location:
            attach = self.browse(cr, uid, id, context=context)
@ -284,7 +284,7 @@ class ir_attachment(osv.osv):
        if isinstance(ids, (int, long)):
            ids = [ids]
        self.check(cr, uid, ids, 'unlink', context=context)
-        location = self.pool.get('ir.config_parameter').get_param(cr, uid, 'ir_attachment.location')
+        location = self.pool.get('ir.config_parameter').get_param(cr, SUPERUSER_ID, 'ir_attachment.location')
        if location:
            for attach in self.browse(cr, uid, ids, context=context):
                if attach.store_fname: