From 812318dcbae13aa6ab87b919b31bc78cc74b97fe Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Wed, 8 Jul 2015 17:33:58 +0200 Subject: [PATCH] [FIX] survery: access rights for invitations When building a new suvery, and sending invitation trough private emails, it wasn't possible to fill the survey from the link sent if you were not logged as the user who sent the invitation, or as a survey manager opw-644210 Fixes #7486 --- addons/survey/controllers/main.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/addons/survey/controllers/main.py b/addons/survey/controllers/main.py index 511d70896c3..bb27d532cb6 100644 --- a/addons/survey/controllers/main.py +++ b/addons/survey/controllers/main.py @@ -105,11 +105,11 @@ class WebsiteSurvey(http.Controller): user_input = user_input_obj.browse(cr, uid, [user_input_id], context=context)[0] else: try: - user_input_id = user_input_obj.search(cr, uid, [('token', '=', token)], context=context)[0] + user_input_id = user_input_obj.search(cr, SUPERUSER_ID, [('token', '=', token)], context=context)[0] except IndexError: # Invalid token return request.website.render("website.403") else: - user_input = user_input_obj.browse(cr, uid, [user_input_id], context=context)[0] + user_input = user_input_obj.browse(cr, SUPERUSER_ID, [user_input_id], context=context)[0] # Do not open expired survey errpage = self._check_deadline(cr, uid, user_input, context=context) @@ -140,11 +140,11 @@ class WebsiteSurvey(http.Controller): # Load the user_input try: - user_input_id = user_input_obj.search(cr, uid, [('token', '=', token)])[0] + user_input_id = user_input_obj.search(cr, SUPERUSER_ID, [('token', '=', token)])[0] except IndexError: # Invalid token return request.website.render("website.403") else: - user_input = user_input_obj.browse(cr, uid, [user_input_id], context=context)[0] + user_input = user_input_obj.browse(cr, SUPERUSER_ID, [user_input_id], context=context)[0] # Do not display expired survey (even if some pages have already been # displayed -- There's a time for everything!) @@ -189,9 +189,9 @@ class WebsiteSurvey(http.Controller): # Fetch previous answers if page: - ids = user_input_line_obj.search(cr, uid, [('user_input_id.token', '=', token), ('page_id', '=', page.id)], context=context) + ids = user_input_line_obj.search(cr, SUPERUSER_ID, [('user_input_id.token', '=', token), ('page_id', '=', page.id)], context=context) else: - ids = user_input_line_obj.search(cr, uid, [('user_input_id.token', '=', token)], context=context) + ids = user_input_line_obj.search(cr, SUPERUSER_ID, [('user_input_id.token', '=', token)], context=context) previous_answers = user_input_line_obj.browse(cr, uid, ids, context=context) # Return non empty answers in a JSON compatible format @@ -231,7 +231,7 @@ class WebsiteSurvey(http.Controller): ret = {} # Fetch answers - ids = user_input_line_obj.search(cr, uid, [('user_input_id.token', '=', token)], context=context) + ids = user_input_line_obj.search(cr, SUPERUSER_ID, [('user_input_id.token', '=', token)], context=context) previous_answers = user_input_line_obj.browse(cr, uid, ids, context=context) # Compute score for each question @@ -268,14 +268,15 @@ class WebsiteSurvey(http.Controller): user_input_line_obj = request.registry['survey.user_input_line'] try: - user_input_id = user_input_obj.search(cr, uid, [('token', '=', post['token'])], context=context)[0] + user_input_id = user_input_obj.search(cr, SUPERUSER_ID, [('token', '=', post['token'])], context=context)[0] except KeyError: # Invalid token return request.website.render("website.403") + user_input = user_input_obj.browse(cr, SUPERUSER_ID, user_input_id, context=context) + user_id = uid if user_input.type != 'link' else SUPERUSER_ID for question in questions: answer_tag = "%s_%s_%s" % (survey.id, page_id, question.id) - user_input_line_obj.save_lines(cr, uid, user_input_id, question, post, answer_tag, context=context) + user_input_line_obj.save_lines(cr, user_id, user_input_id, question, post, answer_tag, context=context) - user_input = user_input_obj.browse(cr, uid, user_input_id, context=context) go_back = post['button_submit'] == 'previous' next_page, _, last = survey_obj.next_page(cr, uid, user_input, page_id, go_back=go_back, context=context) vals = {'last_displayed_page_id': page_id} @@ -283,7 +284,7 @@ class WebsiteSurvey(http.Controller): vals.update({'state': 'done'}) else: vals.update({'state': 'skip'}) - user_input_obj.write(cr, uid, user_input_id, vals, context=context) + user_input_obj.write(cr, user_id, user_input_id, vals, context=context) ret['redirect'] = '/survey/fill/%s/%s' % (survey.id, post['token']) if go_back: ret['redirect'] += '/prev'