[FIX] *: accesses of views concernings specific groups

If the whole view relates to a specific group, apply the group on the view itself instead of each view part (each fields, each page, each div,...), so the view is loaded / added to the base view only if the user is in the right group. So the view is not loaded uselessly and the fields are not read for nothing (performances & security). Indeed, when a group is applied on a field itself, the field content is read, but hidden, therefore reading the content of the field uselessly, and potentially leading to accesses issues if the user hasn't the rights to read the field. (e.g. reading a property when not having access to the model of the proprty, pricelists on partners for instance) opw-634402
2015-05-12 11:20:14 +02:00 · 2015-05-12 11:20:14 +02:00 · 73432ffe9f
parent cf6d7479d5
commit 73432ffe9f
3 changed files with 10 additions and 7 deletions
--- a/addons/account/partner_view.xml
+++ b/addons/account/partner_view.xml
@ -138,9 +138,10 @@
            <field name="model">res.partner</field>
            <field name="priority">2</field>
            <field name="inherit_id" ref="base.view_partner_form"/>
+            <field name="groups_id" eval="[(4, ref('account.group_account_invoice'))]"/>
            <field name="arch" type="xml">
                <page name="sales_purchases" position="after">
-                <page string="Accounting" col="4" name="accounting" attrs="{'invisible': [('is_company','=',False),('parent_id','!=',False)]}" groups="account.group_account_invoice">
+                <page string="Accounting" col="4" name="accounting" attrs="{'invisible': [('is_company','=',False),('parent_id','!=',False)]}">
                    <group>
                        <group>
                            <field name="property_account_position" widget="selection"/>
@ -149,13 +150,13 @@
                            <field name="last_reconciliation_date"/>
                        </group>
                        <group>
-                            <field name="property_account_receivable" groups="account.group_account_invoice" />
+                            <field name="property_account_receivable"/>
                            <field name="property_payment_term" widget="selection"/>
                            <field name="credit"/>
                            <field name="credit_limit"/>
                        </group>
                        <group>
-                            <field name="property_account_payable" groups="account.group_account_invoice"/>
+                            <field name="property_account_payable"/>
                            <field name="property_supplier_payment_term" widget="selection"/>
                            <field name="debit"/>
                        </group>
@ -170,7 +171,7 @@
                        </tree>
                    </field>
                </page>
-                <page string="Accounting" name="accounting_disabled" attrs="{'invisible': ['|',('is_company','=',True),('parent_id','=',False)]}" groups="account.group_account_invoice">
+                <page string="Accounting" name="accounting_disabled" attrs="{'invisible': ['|',('is_company','=',True),('parent_id','=',False)]}">
                    <div>
                        <p>Accounting-related settings are managed on <button name="open_commercial_entity" type="object" string="the parent company" class="oe_link"/></p>
                    </div>
--- a/addons/product/partner_view.xml
+++ b/addons/product/partner_view.xml
@ -5,13 +5,14 @@
            <field name="name">res.partner.product.property.form.inherit</field>
            <field name="model">res.partner</field>
            <field name="inherit_id" ref="base.view_partner_form"/>
+            <field name="groups_id" eval="[(4, ref('product.group_sale_pricelist'))]"/>
            <field name="arch" type="xml">
                <page string="Sales &amp; Purchases" position="inside">
                    <group>
                        <group name="pricelists" attrs="{'invisible': [('is_company','=',False),('parent_id','!=',False)]}">
-                            <field name="property_product_pricelist" groups="product.group_sale_pricelist"/>
+                            <field name="property_product_pricelist"/>
                        </group>
-                        <div name="parent_pricelists" groups="product.group_sale_pricelist" attrs="{'invisible': ['|',('is_company','=',True),('parent_id','=',False)]}">
+                        <div name="parent_pricelists" attrs="{'invisible': ['|',('is_company','=',True),('parent_id','=',False)]}">
                            <p>Pricelists are managed on <button name="open_commercial_entity" type="object" string="the parent company" class="oe_link"/></p>
                        </div>
                    </group>
--- a/addons/purchase/partner_view.xml
+++ b/addons/purchase/partner_view.xml
@ -6,9 +6,10 @@
            <field name="model">res.partner</field>
            <field name="inherit_id" ref="base.view_partner_form"/>
            <field name="priority">36</field>
+            <field name="groups_id" eval="[(4, ref('product.group_purchase_pricelist'))]"/>
            <field name="arch" type="xml">
                <field name="property_product_pricelist" position="after">
-                    <field name="property_product_pricelist_purchase" groups="product.group_purchase_pricelist"/>
+                    <field name="property_product_pricelist_purchase"/>
                </field>
            </field>
        </record>