From b2265108406e0dc1d1e1250fdbad5bc2cee2006d Mon Sep 17 00:00:00 2001
From: Ravi Gohil <rgo@odoo.com>
Date: Thu, 21 Jul 2016 15:14:02 +0530
Subject: [PATCH] [IMP] payment_*: avoid access error on provider model

As provider model is intended to be used internally restricting the read of
some private fields to the employee group avoid creating access issues.
---
 addons/payment_adyen/models/adyen.py         |  6 +++---
 addons/payment_authorize/models/authorize.py |  4 ++--
 addons/payment_buckaroo/models/buckaroo.py   |  4 ++--
 addons/payment_ogone/models/ogone.py         | 10 +++++-----
 addons/payment_paypal/models/paypal.py       | 14 +++++++-------
 addons/payment_sips/controllers/main.py      |  2 +-
 addons/payment_sips/models/sips.py           |  4 ++--
 addons/portal_sale/portal_sale.py            |  4 ++--
 8 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/addons/payment_adyen/models/adyen.py b/addons/payment_adyen/models/adyen.py
index 32e57ab0a47..a1424ebb3c5 100644
--- a/addons/payment_adyen/models/adyen.py
+++ b/addons/payment_adyen/models/adyen.py
@@ -36,9 +36,9 @@ class AcquirerAdyen(osv.Model):
         return providers
 
     _columns = {
-        'adyen_merchant_account': fields.char('Merchant Account', required_if_provider='adyen'),
-        'adyen_skin_code': fields.char('Skin Code', required_if_provider='adyen'),
-        'adyen_skin_hmac_key': fields.char('Skin HMAC Key', required_if_provider='adyen'),
+        'adyen_merchant_account': fields.char('Merchant Account', required_if_provider='adyen', groups='base.group_user'),
+        'adyen_skin_code': fields.char('Skin Code', required_if_provider='adyen', groups='base.group_user'),
+        'adyen_skin_hmac_key': fields.char('Skin HMAC Key', required_if_provider='adyen', groups='base.group_user'),
     }
 
     def _adyen_generate_merchant_sig(self, acquirer, inout, values):
diff --git a/addons/payment_authorize/models/authorize.py b/addons/payment_authorize/models/authorize.py
index 2708daa37a6..5168d8d1b99 100644
--- a/addons/payment_authorize/models/authorize.py
+++ b/addons/payment_authorize/models/authorize.py
@@ -30,8 +30,8 @@ class PaymentAcquirerAuthorize(models.Model):
         providers.append(['authorize', 'Authorize.Net'])
         return providers
 
-    authorize_login = fields.Char(string='API Login Id', required_if_provider='authorize')
-    authorize_transaction_key = fields.Char(string='API Transaction Key', required_if_provider='authorize')
+    authorize_login = fields.Char(string='API Login Id', required_if_provider='authorize', groups='base.group_user')
+    authorize_transaction_key = fields.Char(string='API Transaction Key', required_if_provider='authorize', groups='base.group_user')
 
     def _authorize_generate_hashing(self, values):
         data = '^'.join([
diff --git a/addons/payment_buckaroo/models/buckaroo.py b/addons/payment_buckaroo/models/buckaroo.py
index eded57800f9..62b26783db5 100644
--- a/addons/payment_buckaroo/models/buckaroo.py
+++ b/addons/payment_buckaroo/models/buckaroo.py
@@ -43,8 +43,8 @@ class AcquirerBuckaroo(osv.Model):
         return providers
 
     _columns = {
-        'brq_websitekey': fields.char('WebsiteKey', required_if_provider='buckaroo'),
-        'brq_secretkey': fields.char('SecretKey', required_if_provider='buckaroo'),
+        'brq_websitekey': fields.char('WebsiteKey', required_if_provider='buckaroo', groups='base.group_user'),
+        'brq_secretkey': fields.char('SecretKey', required_if_provider='buckaroo', groups='base.group_user'),
     }
 
     def _buckaroo_generate_digital_sign(self, acquirer, inout, values):
diff --git a/addons/payment_ogone/models/ogone.py b/addons/payment_ogone/models/ogone.py
index de6d29a4b51..8e58cb8cd8e 100644
--- a/addons/payment_ogone/models/ogone.py
+++ b/addons/payment_ogone/models/ogone.py
@@ -43,11 +43,11 @@ class PaymentAcquirerOgone(osv.Model):
         return providers
 
     _columns = {
-        'ogone_pspid': fields.char('PSPID', required_if_provider='ogone'),
-        'ogone_userid': fields.char('API User ID', required_if_provider='ogone'),
-        'ogone_password': fields.char('API User Password', required_if_provider='ogone'),
-        'ogone_shakey_in': fields.char('SHA Key IN', size=32, required_if_provider='ogone'),
-        'ogone_shakey_out': fields.char('SHA Key OUT', size=32, required_if_provider='ogone'),
+        'ogone_pspid': fields.char('PSPID', required_if_provider='ogone', groups='base.group_user'),
+        'ogone_userid': fields.char('API User ID', required_if_provider='ogone', groups='base.group_user'),
+        'ogone_password': fields.char('API User Password', required_if_provider='ogone', groups='base.group_user'),
+        'ogone_shakey_in': fields.char('SHA Key IN', size=32, required_if_provider='ogone', groups='base.group_user'),
+        'ogone_shakey_out': fields.char('SHA Key OUT', size=32, required_if_provider='ogone', groups='base.group_user'),
     }
 
     def _ogone_generate_shasign(self, acquirer, inout, values):
diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py
index d66b55add50..d03c0b71027 100644
--- a/addons/payment_paypal/models/paypal.py
+++ b/addons/payment_paypal/models/paypal.py
@@ -41,17 +41,17 @@ class AcquirerPaypal(osv.Model):
         return providers
 
     _columns = {
-        'paypal_email_account': fields.char('Paypal Email ID', required_if_provider='paypal'),
+        'paypal_email_account': fields.char('Paypal Email ID', required_if_provider='paypal', groups='base.group_user'),
         'paypal_seller_account': fields.char(
-            'Paypal Merchant ID',
+            'Paypal Merchant ID', groups='base.group_user',
             help='The Merchant ID is used to ensure communications coming from Paypal are valid and secured.'),
-        'paypal_use_ipn': fields.boolean('Use IPN', help='Paypal Instant Payment Notification'),
+        'paypal_use_ipn': fields.boolean('Use IPN', help='Paypal Instant Payment Notification', groups='base.group_user'),
         # Server 2 server
         'paypal_api_enabled': fields.boolean('Use Rest API'),
-        'paypal_api_username': fields.char('Rest API Username'),
-        'paypal_api_password': fields.char('Rest API Password'),
-        'paypal_api_access_token': fields.char('Access Token'),
-        'paypal_api_access_token_validity': fields.datetime('Access Token Validity'),
+        'paypal_api_username': fields.char('Rest API Username', groups='base.group_user'),
+        'paypal_api_password': fields.char('Rest API Password', groups='base.group_user'),
+        'paypal_api_access_token': fields.char('Access Token', groups='base.group_user'),
+        'paypal_api_access_token_validity': fields.datetime('Access Token Validity', groups='base.group_user'),
     }
 
     _defaults = {
diff --git a/addons/payment_sips/controllers/main.py b/addons/payment_sips/controllers/main.py
index 47c9c8d0f0e..2355229fa41 100644
--- a/addons/payment_sips/controllers/main.py
+++ b/addons/payment_sips/controllers/main.py
@@ -35,7 +35,7 @@ class SipsController(http.Controller):
 
         sips = acquirer_obj.search([('provider', '=', 'sips')], limit=1)
 
-        security = sips._sips_generate_shasign(post)
+        security = sips.sudo()._sips_generate_shasign(post)
         if security == post['Seal']:
             _logger.debug('Sips: validated data')
             res = tx_obj.sudo().form_feedback(post, 'sips')
diff --git a/addons/payment_sips/models/sips.py b/addons/payment_sips/models/sips.py
index 980873178a9..2706b729ac4 100644
--- a/addons/payment_sips/models/sips.py
+++ b/addons/payment_sips/models/sips.py
@@ -41,8 +41,8 @@ class AcquirerSips(models.Model):
     _inherit = 'payment.acquirer'
     # Fields
     sips_merchant_id = fields.Char('SIPS API User Password',
-                                   required_if_provider='sips')
-    sips_secret = fields.Char('SIPS Secret', size=64, required_if_provider='sips')
+                                   required_if_provider='sips', groups='base.group_user')
+    sips_secret = fields.Char('SIPS Secret', size=64, required_if_provider='sips', groups='base.group_user')
 
     # Methods
     def _get_sips_urls(self, environment):
diff --git a/addons/portal_sale/portal_sale.py b/addons/portal_sale/portal_sale.py
index 6bc44b5dc02..1b884d075dd 100644
--- a/addons/portal_sale/portal_sale.py
+++ b/addons/portal_sale/portal_sale.py
@@ -40,7 +40,7 @@ class sale_order(osv.Model):
         for this in self.browse(cr, SUPERUSER_ID, ids, context=context):
             if this.state not in ('draft', 'cancel') and not this.invoiced:
                 result[this.id] = payment_acquirer.render_payment_block(
-                    cr, uid, this.name, this.amount_total, this.pricelist_id.currency_id.id,
+                    cr, SUPERUSER_ID, this.name, this.amount_total, this.pricelist_id.currency_id.id,
                     partner_id=this.partner_id.id, company_id=this.company_id.id, context=context)
         return result
 
@@ -100,7 +100,7 @@ class account_invoice(osv.Model):
         for this in self.browse(cr, uid, ids, context=context):
             if this.type == 'out_invoice' and this.state not in ('draft', 'done') and not this.reconciled:
                 result[this.id] = payment_acquirer.render_payment_block(
-                    cr, uid, this.number, this.residual, this.currency_id.id,
+                    cr, SUPERUSER_ID, this.number, this.residual, this.currency_id.id,
                     partner_id=this.partner_id.id, company_id=this.company_id.id, context=context)
         return result