From 72d3697fbc77eca9ad8abf43a81bb13a0a8bfb65 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Tue, 26 Aug 2014 12:55:48 +0200 Subject: [PATCH] [FIX] security: externals should be able to read attachements without having the rights to read ir.config_parameter --- openerp/addons/base/ir/ir_attachment.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openerp/addons/base/ir/ir_attachment.py b/openerp/addons/base/ir/ir_attachment.py index 43d13126f3b..2c0af45ee66 100644 --- a/openerp/addons/base/ir/ir_attachment.py +++ b/openerp/addons/base/ir/ir_attachment.py @@ -121,7 +121,7 @@ class ir_attachment(osv.osv): if context is None: context = {} result = {} - location = self.pool.get('ir.config_parameter').get_param(cr, uid, 'ir_attachment.location') + location = self.pool.get('ir.config_parameter').get_param(cr, SUPERUSER_ID, 'ir_attachment.location') bin_size = context.get('bin_size') for attach in self.browse(cr, uid, ids, context=context): if location and attach.store_fname: @@ -136,7 +136,7 @@ class ir_attachment(osv.osv): return True if context is None: context = {} - location = self.pool.get('ir.config_parameter').get_param(cr, uid, 'ir_attachment.location') + location = self.pool.get('ir.config_parameter').get_param(cr, SUPERUSER_ID, 'ir_attachment.location') file_size = len(value.decode('base64')) if location: attach = self.browse(cr, uid, id, context=context) @@ -284,7 +284,7 @@ class ir_attachment(osv.osv): if isinstance(ids, (int, long)): ids = [ids] self.check(cr, uid, ids, 'unlink', context=context) - location = self.pool.get('ir.config_parameter').get_param(cr, uid, 'ir_attachment.location') + location = self.pool.get('ir.config_parameter').get_param(cr, SUPERUSER_ID, 'ir_attachment.location') if location: for attach in self.browse(cr, uid, ids, context=context): if attach.store_fname: