[FIX] payment: access rights limitation
Do not allow everybody to access account.transactions. Restrict by default to readonly and even restrict the access with a record rule, give access to salesman.
This commit is contained in:
parent
685fa26e83
commit
d99835ee9c
|
@ -12,6 +12,7 @@
|
||||||
'views/payment_acquirer.xml',
|
'views/payment_acquirer.xml',
|
||||||
'views/res_config_view.xml',
|
'views/res_config_view.xml',
|
||||||
'security/ir.model.access.csv',
|
'security/ir.model.access.csv',
|
||||||
|
'security/payment_security.xml',
|
||||||
],
|
],
|
||||||
'installable': True,
|
'installable': True,
|
||||||
'auto_install': True,
|
'auto_install': True,
|
||||||
|
|
|
@ -2,6 +2,6 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
|
||||||
payment_acquirer_all,payment.acquirer.all,model_payment_acquirer,,1,0,0,0
|
payment_acquirer_all,payment.acquirer.all,model_payment_acquirer,,1,0,0,0
|
||||||
payment_acquirer_user,payment.acquirer.user,model_payment_acquirer,base.group_user,1,1,1,0
|
payment_acquirer_user,payment.acquirer.user,model_payment_acquirer,base.group_user,1,1,1,0
|
||||||
payment_acquirer_system,payment.acquirer.system,model_payment_acquirer,base.group_system,1,1,1,1
|
payment_acquirer_system,payment.acquirer.system,model_payment_acquirer,base.group_system,1,1,1,1
|
||||||
payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,1,1,0
|
payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,0,0,0
|
||||||
payment_transaction_user,payment.transaction.user,model_payment_transaction,base.group_user,1,1,1,0
|
payment_transaction_user,payment.transaction.user,model_payment_transaction,base.group_user,1,1,1,0
|
||||||
payment_transaction_system,payment.transaction.system,model_payment_transaction,base.group_system,1,1,1,1
|
payment_transaction_system,payment.transaction.system,model_payment_transaction,base.group_system,1,1,1,1
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<openerp>
|
||||||
|
<data noupdate="1">
|
||||||
|
|
||||||
|
<record id="payment_transaction_user_rule" model="ir.rule">
|
||||||
|
<field name="name">Access own payment transaction only</field>
|
||||||
|
<field name="model_id" ref="payment.model_payment_transaction"/>
|
||||||
|
<field name="domain_force">[
|
||||||
|
'|',
|
||||||
|
('partner_id','=',False),
|
||||||
|
('partner_id','=',user.partner_id.id)
|
||||||
|
]</field>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_user')), (4, ref('base.group_portal'))]"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
<record id="payment_transaction_salesman_rule" model="ir.rule">
|
||||||
|
<field name="name">Access every payment transaction</field>
|
||||||
|
<field name="model_id" ref="payment.model_payment_transaction"/>
|
||||||
|
<field name="domain_force">[(1, '=', 1)]</field>
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_sale_salesman'))]"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
</data>
|
||||||
|
</openerp>
|
|
@ -14,6 +14,7 @@ from openerp.addons.payment.models.payment_acquirer import ValidationError
|
||||||
from openerp.addons.payment_paypal.controllers.main import PaypalController
|
from openerp.addons.payment_paypal.controllers.main import PaypalController
|
||||||
from openerp.osv import osv, fields
|
from openerp.osv import osv, fields
|
||||||
from openerp.tools.float_utils import float_compare
|
from openerp.tools.float_utils import float_compare
|
||||||
|
from openerp import SUPERUSER_ID
|
||||||
|
|
||||||
_logger = logging.getLogger(__name__)
|
_logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
@ -99,7 +100,7 @@ class AcquirerPaypal(osv.Model):
|
||||||
return fees
|
return fees
|
||||||
|
|
||||||
def paypal_form_generate_values(self, cr, uid, id, partner_values, tx_values, context=None):
|
def paypal_form_generate_values(self, cr, uid, id, partner_values, tx_values, context=None):
|
||||||
base_url = self.pool['ir.config_parameter'].get_param(cr, uid, 'web.base.url')
|
base_url = self.pool['ir.config_parameter'].get_param(cr, SUPERUSER_ID, 'web.base.url')
|
||||||
acquirer = self.browse(cr, uid, id, context=context)
|
acquirer = self.browse(cr, uid, id, context=context)
|
||||||
|
|
||||||
paypal_tx_values = dict(tx_values)
|
paypal_tx_values = dict(tx_values)
|
||||||
|
|
|
@ -12,6 +12,7 @@
|
||||||
'payment',
|
'payment',
|
||||||
],
|
],
|
||||||
'data': [
|
'data': [
|
||||||
|
'payment_security.xml',
|
||||||
'views/website_payment_templates.xml',
|
'views/website_payment_templates.xml',
|
||||||
'views/website_settings_payment.xml',
|
'views/website_settings_payment.xml',
|
||||||
],
|
],
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<openerp>
|
||||||
|
<data noupdate="1">
|
||||||
|
|
||||||
|
<record id="payment.payment_transaction_user_rule" model="ir.rule">
|
||||||
|
<field name="groups" eval="[(4, ref('base.group_public'))]"/>
|
||||||
|
</record>
|
||||||
|
|
||||||
|
</data>
|
||||||
|
</openerp>
|
Loading…
Reference in New Issue