odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] portal_sale: remove un-necessary access rights, improve rules 

Portal access rights need to be associated with
security rules, or not granted at all, as soon
as they grant access to non-trivial data.
This commit is contained in:
Olivier Dony 2014-08-13 15:15:29 +02:00
parent bceb278199
commit d03ae8980a
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
addons/portal_sale/security/ir.model.access.csv
View File

@ -7,15 +7,7 @@ access_account_invoice_line,account.invoice.line,account.model_account_invoice_l
access_account_journal,account.journal,account.model_account_journal,portal.group_portal,1,0,0,0
access_account_voucher,account.voucher,account_voucher.model_account_voucher,portal.group_portal,1,0,0,0
access_account_voucher_line,account.voucher.line,account_voucher.model_account_voucher_line,portal.group_portal,1,0,0,0
access_account_move,account.move,account.model_account_move,portal.group_portal,1,0,0,0
access_account_move_line,account.move.line,account.model_account_move_line,portal.group_portal,1,0,0,0
access_account_move_reconcile,account.move.reconcile,account.model_account_move_reconcile,portal.group_portal,1,0,0,0
access_account_fiscalyear,account.sequence.fiscalyear,account.model_account_sequence_fiscalyear,portal.group_portal,1,0,0,0
access_sale_shop,sale.shop,sale.model_sale_shop,portal.group_portal,1,0,0,0
access_product_list,product.pricelist,product.model_product_pricelist,portal.group_portal,1,0,0,0
access_res_partner,res.partner,base.model_res_partner,portal.group_portal,1,0,0,0
access_account_tax,account.tax,account.model_account_tax,portal.group_portal,1,0,0,0
access_account_fiscalyear,account.fiscalyear,account.model_account_fiscalyear,portal.group_portal,1,0,0,0
access_res_partner_category,res.partner.category,base.model_res_partner_category,portal.group_portal,1,0,0,0
access_account_period,account.period,account.model_account_period,portal.group_portal,1,0,0,0
access_account_account,account.account,account.model_account_account,portal.group_portal,1,0,0,0

1 id name model_id:id group_id:id perm_read perm_write perm_create perm_unlink
7 access_account_journal account.journal account.model_account_journal portal.group_portal 1 0 0 0
8 access_account_voucher account.voucher account_voucher.model_account_voucher portal.group_portal 1 0 0 0
9 access_account_voucher_line account.voucher.line account_voucher.model_account_voucher_line portal.group_portal 1 0 0 0
access_account_move account.move account.model_account_move portal.group_portal 1 0 0 0
access_account_move_line account.move.line account.model_account_move_line portal.group_portal 1 0 0 0
access_account_move_reconcile account.move.reconcile account.model_account_move_reconcile portal.group_portal 1 0 0 0
access_account_fiscalyear account.sequence.fiscalyear account.model_account_sequence_fiscalyear portal.group_portal 1 0 0 0
10 access_sale_shop sale.shop sale.model_sale_shop portal.group_portal 1 0 0 0
access_product_list product.pricelist product.model_product_pricelist portal.group_portal 1 0 0 0
11 access_res_partner res.partner base.model_res_partner portal.group_portal 1 0 0 0
12 access_account_tax account.tax account.model_account_tax portal.group_portal 1 0 0 0
access_account_fiscalyear account.fiscalyear account.model_account_fiscalyear portal.group_portal 1 0 0 0
13 access_res_partner_category res.partner.category base.model_res_partner_category portal.group_portal 1 0 0 0
access_account_period account.period account.model_account_period portal.group_portal 1 0 0 0
access_account_account account.account account.model_account_account portal.group_portal 1 0 0 0

19
addons/portal_sale/security/portal_security.xml
View File

@ -18,7 +18,7 @@ their documents through the portal.</field>
<record id="portal_sale_order_user_rule" model="ir.rule">
<field name="name">Portal Personal Quotations/Sales Orders</field>
<field name="model_id" ref="sale.model_sale_order"/>
<field name="domain_force">[('message_follower_ids','in',[user.partner_id.id])]</field>
<field name="domain_force">[('message_follower_ids','child_of',[user.partner_id.id])]</field>
<field name="groups" eval="[(4, ref('portal.group_portal'))]"/>
<field eval="1" name="perm_unlink"/>
<field eval="1" name="perm_write"/>
@ -26,10 +26,25 @@ their documents through the portal.</field>
<field eval="0" name="perm_create"/>
</record>
<record id="portal_sale_order_line_rule" model="ir.rule">
<field name="name">Portal Sales Orders Line</field>
<field name="model_id" ref="sale.model_sale_order_line"/>
<field name="domain_force">[('order_id.message_follower_ids','child_of',[user.partner_id.id])]</field>
<field name="groups" eval="[(4, ref('portal.group_portal'))]"/>
</record>
<record id="portal_account_invoice_user_rule" model="ir.rule">
<field name="name">Portal Personal Account Invoices</field>
<field name="model_id" ref="account.model_account_invoice"/>
<field name="domain_force">[('message_follower_ids','in',[user.partner_id.id])]</field>
<field name="domain_force">[('message_follower_ids','child_of',[user.partner_id.id])]</field>
<field name="groups" eval="[(4, ref('portal.group_portal'))]"/>
</record>
<record id="portal_account_invoice_line_rule" model="ir.rule">
<field name="name">Portal Invoice Lines</field>
<field name="model_id" ref="account.model_account_invoice_line"/>
<field name="domain_force">[('invoice_id.message_follower_ids','child_of',[user.partner_id.id])]</field>
<field name="groups" eval="[(4, ref('portal.group_portal'))]"/>
</record>