[IMP] payment_*: avoid access error on provider model

As provider model is intended to be used internally restricting the read of
some private fields to the employee group avoid creating access issues.

addons/payment_adyen/models/adyen.py

@@ -36,9 +36,9 @@ class AcquirerAdyen(osv.Model):
         return providers
 
     _columns = {
-        'adyen_merchant_account': fields.char('Merchant Account', required_if_provider='adyen'),
-        'adyen_skin_code': fields.char('Skin Code', required_if_provider='adyen'),
-        'adyen_skin_hmac_key': fields.char('Skin HMAC Key', required_if_provider='adyen'),
+        'adyen_merchant_account': fields.char('Merchant Account', required_if_provider='adyen', groups='base.group_user'),
+        'adyen_skin_code': fields.char('Skin Code', required_if_provider='adyen', groups='base.group_user'),
+        'adyen_skin_hmac_key': fields.char('Skin HMAC Key', required_if_provider='adyen', groups='base.group_user'),
     }
 
     def _adyen_generate_merchant_sig(self, acquirer, inout, values):

addons/payment_authorize/models/authorize.py

@@ -30,8 +30,8 @@ class PaymentAcquirerAuthorize(models.Model):
         providers.append(['authorize', 'Authorize.Net'])
         return providers
 
-    authorize_login = fields.Char(string='API Login Id', required_if_provider='authorize')
-    authorize_transaction_key = fields.Char(string='API Transaction Key', required_if_provider='authorize')
+    authorize_login = fields.Char(string='API Login Id', required_if_provider='authorize', groups='base.group_user')
+    authorize_transaction_key = fields.Char(string='API Transaction Key', required_if_provider='authorize', groups='base.group_user')
 
     def _authorize_generate_hashing(self, values):
         data = '^'.join([

addons/payment_buckaroo/models/buckaroo.py

@@ -43,8 +43,8 @@ class AcquirerBuckaroo(osv.Model):
         return providers
 
     _columns = {
-        'brq_websitekey': fields.char('WebsiteKey', required_if_provider='buckaroo'),
-        'brq_secretkey': fields.char('SecretKey', required_if_provider='buckaroo'),
+        'brq_websitekey': fields.char('WebsiteKey', required_if_provider='buckaroo', groups='base.group_user'),
+        'brq_secretkey': fields.char('SecretKey', required_if_provider='buckaroo', groups='base.group_user'),
     }
 
     def _buckaroo_generate_digital_sign(self, acquirer, inout, values):

addons/payment_ogone/models/ogone.py

@@ -43,11 +43,11 @@ class PaymentAcquirerOgone(osv.Model):
         return providers
 
     _columns = {
-        'ogone_pspid': fields.char('PSPID', required_if_provider='ogone'),
-        'ogone_userid': fields.char('API User ID', required_if_provider='ogone'),
-        'ogone_password': fields.char('API User Password', required_if_provider='ogone'),
-        'ogone_shakey_in': fields.char('SHA Key IN', size=32, required_if_provider='ogone'),
-        'ogone_shakey_out': fields.char('SHA Key OUT', size=32, required_if_provider='ogone'),
+        'ogone_pspid': fields.char('PSPID', required_if_provider='ogone', groups='base.group_user'),
+        'ogone_userid': fields.char('API User ID', required_if_provider='ogone', groups='base.group_user'),
+        'ogone_password': fields.char('API User Password', required_if_provider='ogone', groups='base.group_user'),
+        'ogone_shakey_in': fields.char('SHA Key IN', size=32, required_if_provider='ogone', groups='base.group_user'),
+        'ogone_shakey_out': fields.char('SHA Key OUT', size=32, required_if_provider='ogone', groups='base.group_user'),
     }
 
     def _ogone_generate_shasign(self, acquirer, inout, values):

addons/payment_paypal/models/paypal.py

@@ -41,17 +41,17 @@ class AcquirerPaypal(osv.Model):
         return providers
 
     _columns = {
-        'paypal_email_account': fields.char('Paypal Email ID', required_if_provider='paypal'),
+        'paypal_email_account': fields.char('Paypal Email ID', required_if_provider='paypal', groups='base.group_user'),
         'paypal_seller_account': fields.char(
-            'Paypal Merchant ID',
+            'Paypal Merchant ID', groups='base.group_user',
             help='The Merchant ID is used to ensure communications coming from Paypal are valid and secured.'),
-        'paypal_use_ipn': fields.boolean('Use IPN', help='Paypal Instant Payment Notification'),
+        'paypal_use_ipn': fields.boolean('Use IPN', help='Paypal Instant Payment Notification', groups='base.group_user'),
         # Server 2 server
         'paypal_api_enabled': fields.boolean('Use Rest API'),
-        'paypal_api_username': fields.char('Rest API Username'),
-        'paypal_api_password': fields.char('Rest API Password'),
-        'paypal_api_access_token': fields.char('Access Token'),
-        'paypal_api_access_token_validity': fields.datetime('Access Token Validity'),
+        'paypal_api_username': fields.char('Rest API Username', groups='base.group_user'),
+        'paypal_api_password': fields.char('Rest API Password', groups='base.group_user'),
+        'paypal_api_access_token': fields.char('Access Token', groups='base.group_user'),
+        'paypal_api_access_token_validity': fields.datetime('Access Token Validity', groups='base.group_user'),
     }
 
     _defaults = {

addons/payment_sips/controllers/main.py

@@ -35,7 +35,7 @@ class SipsController(http.Controller):
 
         sips = acquirer_obj.search([('provider', '=', 'sips')], limit=1)
 
-        security = sips._sips_generate_shasign(post)
+        security = sips.sudo()._sips_generate_shasign(post)
         if security == post['Seal']:
             _logger.debug('Sips: validated data')
             res = tx_obj.sudo().form_feedback(post, 'sips')

addons/payment_sips/models/sips.py

@@ -41,8 +41,8 @@ class AcquirerSips(models.Model):
     _inherit = 'payment.acquirer'
     # Fields
     sips_merchant_id = fields.Char('SIPS API User Password',
-                                   required_if_provider='sips')
-    sips_secret = fields.Char('SIPS Secret', size=64, required_if_provider='sips')
+                                   required_if_provider='sips', groups='base.group_user')
+    sips_secret = fields.Char('SIPS Secret', size=64, required_if_provider='sips', groups='base.group_user')
 
     # Methods
     def _get_sips_urls(self, environment):

addons/portal_sale/portal_sale.py

@@ -40,7 +40,7 @@ class sale_order(osv.Model):
         for this in self.browse(cr, SUPERUSER_ID, ids, context=context):
             if this.state not in ('draft', 'cancel') and not this.invoiced:
                 result[this.id] = payment_acquirer.render_payment_block(
-                    cr, uid, this.name, this.amount_total, this.pricelist_id.currency_id.id,
+                    cr, SUPERUSER_ID, this.name, this.amount_total, this.pricelist_id.currency_id.id,
                     partner_id=this.partner_id.id, company_id=this.company_id.id, context=context)
         return result
 
@@ -100,7 +100,7 @@ class account_invoice(osv.Model):
         for this in self.browse(cr, uid, ids, context=context):
             if this.type == 'out_invoice' and this.state not in ('draft', 'done') and not this.reconciled:
                 result[this.id] = payment_acquirer.render_payment_block(
-                    cr, uid, this.number, this.residual, this.currency_id.id,
+                    cr, SUPERUSER_ID, this.number, this.residual, this.currency_id.id,
                     partner_id=this.partner_id.id, company_id=this.company_id.id, context=context)
         return result