[IMP] website_mail: added override of mail.message search and check_access_rule to restrict messages vsible by public user to have website_published = True

bzr revid: tde@openerp.com-20130923134639-ou1hkwzetm9st95f
2013-09-23 15:46:39 +02:00 · 2013-09-23 15:46:39 +02:00 · dcdefd0e8d
parent 35ce110ab0
commit dcdefd0e8d
1 changed files with 29 additions and 0 deletions
--- a/addons/website_mail/mail_message.py
+++ b/addons/website_mail/mail_message.py
@ -19,6 +19,7 @@
 #
 ##############################################################################

+from openerp.tools.translate import _
 from openerp.osv import osv, fields


@ -30,3 +31,31 @@ class MailMessage(osv.Model):
            'Publish', help="Publish on the website as a blog"
        ),
    }
+
+    def _search(self, cr, uid, args, offset=0, limit=None, order=None,
+                context=None, count=False, access_rights_uid=None):
+        """ Override that adds specific access rights of mail.message, to restrict
+        messages to published messages for public users. """
+        group_ids = self.pool.get('res.users').browse(cr, uid, uid, context=context).groups_id
+        group_user_id = self.pool.get("ir.model.data").get_object_reference(cr, uid, 'base', 'group_public')[1]
+        if group_user_id in [group.id for group in group_ids]:
+            args = ['&', ('website_published', '=', True)] + list(args)
+
+        return super(MailMessage, self)._search(cr, uid, args, offset=offset, limit=limit, order=order,
+                                                context=context, count=False, access_rights_uid=access_rights_uid)
+
+    def check_access_rule(self, cr, uid, ids, operation, context=None):
+        """ Add Access rules of mail.message for non-employee user:
+            - read:
+                - raise if the type is comment and subtype NULL (internal note)
+        """
+        group_ids = self.pool.get('res.users').browse(cr, uid, uid, context=context).groups_id
+        group_user_id = self.pool.get("ir.model.data").get_object_reference(cr, uid, 'base', 'group_public')[1]
+        if group_user_id in [group.id for group in group_ids]:
+            cr.execute('SELECT DISTINCT id FROM "%s" WHERE website_published IS FALSE AND id = ANY (%%s)' % (self._table), (ids,))
+            if cr.fetchall():
+                raise osv.except_osv(
+                    _('Access Denied'),
+                    _('The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: %s, Operation: %s)') % (self._description, operation))
+
+        return super(MailMessage, self).check_access_rule(cr, uid, ids=ids, operation=operation, context=context)