[FIX] browse records do not try to prefetch fields user can't read

bzr revid: chs@openerp.com-20130819164622-7cre7yqpvlyzsslj
2013-08-19 18:46:22 +02:00 · 2013-08-19 18:46:22 +02:00 · 815fc8f84a
parent d91ba409fd
commit 815fc8f84a
2 changed files with 31 additions and 7 deletions
--- a/openerp/osv/orm.py
+++ b/openerp/osv/orm.py
@ -383,6 +383,7 @@ class browse_record(object):
                raise KeyError(error_msg)

            # if the field is a classic one or a many2one, we'll fetch all classic and many2one fields
+            fields_to_fetch = []
            if col._prefetch:
                # gen the list of "local" (ie not inherited) fields which are classic or many2one
                fields_to_fetch = filter(lambda x: x[1]._classic_write and x[1]._prefetch, self._table._columns.items())
@ -390,9 +391,14 @@ class browse_record(object):
                inherits = map(lambda x: (x[0], x[1][2]), self._table._inherit_fields.items())
                # complete the field list with the inherited fields which are classic or many2one
                fields_to_fetch += filter(lambda x: x[1]._classic_write and x[1]._prefetch, inherits)
-            # otherwise we fetch only that field
-            else:
+
+                # filter out non accessible fields
+                accessible_fields = self._table.check_field_access_rights(self._cr, self._uid, 'read', fields=None, context=self._context)
+                fields_to_fetch = [f for f in fields_to_fetch if f[0] in accessible_fields]
+
+            if not fields_to_fetch:
                fields_to_fetch = [(name, col)]
+
            ids = filter(lambda id: name not in self._data[id], self._data.keys())
            # read the results
            field_names = map(lambda x: x[0], fields_to_fetch)
--- a/openerp/tests/test_acl.py
+++ b/openerp/tests/test_acl.py
@ -9,6 +9,7 @@ import common
 # test group that demo user should not have
 GROUP_TECHNICAL_FEATURES = 'base.group_no_one'

+
 class TestACL(common.TransactionCase):

    def setUp(self):
@ -85,6 +86,23 @@ class TestACL(common.TransactionCase):
        self.tech_group.write({'users': [(3, self.demo_uid)]})
        self.res_partner._columns['bank_ids'].groups = False

+    def test_fields_browse_restriction(self):
+        """Test access to records having restricted fields"""
+        self.res_partner._columns['email'].groups = GROUP_TECHNICAL_FEATURES
+        try:
+            P = self.res_partner
+            pid = P.search(self.cr, self.demo_uid, [], limit=1)[0]
+            part = P.browse(self.cr, self.demo_uid, pid)
+            # accessing fields must no raise exceptions...
+            part.name
+            # ... except they are restricted
+            with self.assertRaises(AttributeError):
+                part.email
+
+        finally:
+            self.res_partner._columns['email'].groups = False
+
+
 if __name__ == '__main__':
    unittest2.main()