[IMP] orm: force checking ir.rules on read when accessing only to _classic_write fields (o2m, m2m, function)

More consistent behaviour. Was not able to access unauthorized data (retrieving data on x2m field would trigger security rules) but make sure it raises an exception instead of silently retrieve no data. Move construct domain inside if clause as no needed before bzr revid: mat@openerp.com-20131205113254-j3j4bb0p6ed23oht
2013-12-05 12:32:54 +01:00 · 2013-12-05 12:32:54 +01:00 · 9652fb0013
parent 3a6953c1d0
commit 9652fb0013
1 changed files with 6 additions and 5 deletions
--- a/openerp/osv/orm.py
+++ b/openerp/osv/orm.py
@ -3636,11 +3636,6 @@ class BaseModel(object):
        if fields_to_read is None:
            fields_to_read = self._columns.keys()

-        # Construct a clause for the security rules.
-        # 'tables' hold the list of tables necessary for the SELECT including the ir.rule clauses,
-        # or will at least contain self._table.
-        rule_clause, rule_params, tables = self.pool.get('ir.rule').domain_get(cr, user, self._name, 'read', context=context)
-
        # all inherited fields + all non inherited fields for which the attribute whose name is in load is True
        fields_pre = [f for f in fields_to_read if
                           f == self.CONCURRENCY_CHECK_FIELD
@ -3661,6 +3656,11 @@ class BaseModel(object):
                    return 'length(%s) as "%s"' % (f_qual, f)
                return f_qual

+            # Construct a clause for the security rules.
+            # 'tables' hold the list of tables necessary for the SELECT including the ir.rule clauses,
+            # or will at least contain self._table.
+            rule_clause, rule_params, tables = self.pool.get('ir.rule').domain_get(cr, user, self._name, 'read', context=context)
+
            fields_pre2 = map(convert_field, fields_pre)
            order_by = self._parent_order or self._order
            select_fields = ','.join(fields_pre2 + ['%s.id' % self._table])
@ -3675,6 +3675,7 @@ class BaseModel(object):
                self._check_record_rules_result_count(cr, user, sub_ids, result_ids, 'read', context=context)
                res.extend(results)
        else:
+            self.check_access_rule(cr, user, ids, 'read', context=context)
            res = map(lambda x: {'id': x}, ids)

        if context.get('lang'):