From 73432ffe9f5007aaae0b70f1df2755a6494b0691 Mon Sep 17 00:00:00 2001
From: Denis Ledoux <dle@odoo.com>
Date: Tue, 12 May 2015 11:20:14 +0200
Subject: [PATCH] [FIX] *: accesses of views concernings specific groups

If the whole view relates to a specific group,
apply the group on the view itself instead of
each view part (each fields, each page, each div,...),
so the view is loaded / added to the base view
only if the user is in the right group.
So the view is not loaded uselessly
and the fields are not read for nothing
(performances & security).

Indeed, when a group is applied on a field itself, the field content
is read, but hidden, therefore reading the content of the field
uselessly, and potentially leading to accesses issues
if the user hasn't the rights to read the field.
(e.g. reading a property when not having access to the model
of the proprty, pricelists on partners for instance)

opw-634402
---
 addons/account/partner_view.xml  | 9 +++++----
 addons/product/partner_view.xml  | 5 +++--
 addons/purchase/partner_view.xml | 3 ++-
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/addons/account/partner_view.xml b/addons/account/partner_view.xml
index a85b27882c4..181315105d3 100644
--- a/addons/account/partner_view.xml
+++ b/addons/account/partner_view.xml
@@ -138,9 +138,10 @@
             <field name="model">res.partner</field>
             <field name="priority">2</field>
             <field name="inherit_id" ref="base.view_partner_form"/>
+            <field name="groups_id" eval="[(4, ref('account.group_account_invoice'))]"/>
             <field name="arch" type="xml">
                 <page name="sales_purchases" position="after">
-                <page string="Accounting" col="4" name="accounting" attrs="{'invisible': [('is_company','=',False),('parent_id','!=',False)]}" groups="account.group_account_invoice">
+                <page string="Accounting" col="4" name="accounting" attrs="{'invisible': [('is_company','=',False),('parent_id','!=',False)]}">
                     <group>
                         <group>
                             <field name="property_account_position" widget="selection"/>
@@ -149,13 +150,13 @@
                             <field name="last_reconciliation_date"/>
                         </group>
                         <group>
-                            <field name="property_account_receivable" groups="account.group_account_invoice" />
+                            <field name="property_account_receivable"/>
                             <field name="property_payment_term" widget="selection"/>
                             <field name="credit"/>
                             <field name="credit_limit"/>
                         </group>
                         <group>
-                            <field name="property_account_payable" groups="account.group_account_invoice"/>
+                            <field name="property_account_payable"/>
                             <field name="property_supplier_payment_term" widget="selection"/>
                             <field name="debit"/>
                         </group>
@@ -170,7 +171,7 @@
                         </tree>
                     </field>
                 </page>
-                <page string="Accounting" name="accounting_disabled" attrs="{'invisible': ['|',('is_company','=',True),('parent_id','=',False)]}" groups="account.group_account_invoice">
+                <page string="Accounting" name="accounting_disabled" attrs="{'invisible': ['|',('is_company','=',True),('parent_id','=',False)]}">
                     <div>
                         <p>Accounting-related settings are managed on <button name="open_commercial_entity" type="object" string="the parent company" class="oe_link"/></p>
                     </div>
diff --git a/addons/product/partner_view.xml b/addons/product/partner_view.xml
index 95332cf0f32..8d160a57fb3 100644
--- a/addons/product/partner_view.xml
+++ b/addons/product/partner_view.xml
@@ -5,13 +5,14 @@
             <field name="name">res.partner.product.property.form.inherit</field>
             <field name="model">res.partner</field>
             <field name="inherit_id" ref="base.view_partner_form"/>
+            <field name="groups_id" eval="[(4, ref('product.group_sale_pricelist'))]"/>
             <field name="arch" type="xml">
                 <page string="Sales &amp; Purchases" position="inside">
                     <group>
                         <group name="pricelists" attrs="{'invisible': [('is_company','=',False),('parent_id','!=',False)]}">
-                            <field name="property_product_pricelist" groups="product.group_sale_pricelist"/>
+                            <field name="property_product_pricelist"/>
                         </group>
-                        <div name="parent_pricelists" groups="product.group_sale_pricelist" attrs="{'invisible': ['|',('is_company','=',True),('parent_id','=',False)]}">
+                        <div name="parent_pricelists" attrs="{'invisible': ['|',('is_company','=',True),('parent_id','=',False)]}">
                             <p>Pricelists are managed on <button name="open_commercial_entity" type="object" string="the parent company" class="oe_link"/></p>
                         </div>
                     </group>
diff --git a/addons/purchase/partner_view.xml b/addons/purchase/partner_view.xml
index 30d5ffb01ca..969a4a9e2c7 100644
--- a/addons/purchase/partner_view.xml
+++ b/addons/purchase/partner_view.xml
@@ -6,9 +6,10 @@
             <field name="model">res.partner</field>
             <field name="inherit_id" ref="base.view_partner_form"/>
             <field name="priority">36</field>
+            <field name="groups_id" eval="[(4, ref('product.group_purchase_pricelist'))]"/>
             <field name="arch" type="xml">
                 <field name="property_product_pricelist" position="after">
-                    <field name="property_product_pricelist_purchase" groups="product.group_purchase_pricelist"/>
+                    <field name="property_product_pricelist_purchase"/>
                 </field>
             </field>
         </record>