diff --git a/addons/auth_ldap/users_ldap.py b/addons/auth_ldap/users_ldap.py
index 2c7523db430..92d723af3d9 100644
--- a/addons/auth_ldap/users_ldap.py
+++ b/addons/auth_ldap/users_ldap.py
@@ -249,6 +249,10 @@ class users(osv.osv):
return user_id
registry = RegistryManager.get(db)
with registry.cursor() as cr:
+ cr.execute("SELECT id, active FROM res_users WHERE lower(login)=%s", (login,))
+ res = cr.fetchone()
+ if res:
+ return False
ldap_obj = registry.get('res.company.ldap')
for conf in ldap_obj.get_ldap_dicts(cr):
entry = ldap_obj.authenticate(conf, login, password)
diff --git a/addons/payment/__openerp__.py b/addons/payment/__openerp__.py
index c192bec7c1b..a3843a872c1 100644
--- a/addons/payment/__openerp__.py
+++ b/addons/payment/__openerp__.py
@@ -12,6 +12,7 @@
'views/payment_acquirer.xml',
'views/res_config_view.xml',
'security/ir.model.access.csv',
+ 'security/payment_security.xml',
],
'installable': True,
'auto_install': True,
diff --git a/addons/payment/security/ir.model.access.csv b/addons/payment/security/ir.model.access.csv
index 18f98939472..f52f9a44d4e 100644
--- a/addons/payment/security/ir.model.access.csv
+++ b/addons/payment/security/ir.model.access.csv
@@ -2,6 +2,6 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
payment_acquirer_all,payment.acquirer.all,model_payment_acquirer,,1,0,0,0
payment_acquirer_user,payment.acquirer.user,model_payment_acquirer,base.group_user,1,1,1,0
payment_acquirer_system,payment.acquirer.system,model_payment_acquirer,base.group_system,1,1,1,1
-payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,1,1,0
+payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,0,0,0
payment_transaction_user,payment.transaction.user,model_payment_transaction,base.group_user,1,1,1,0
payment_transaction_system,payment.transaction.system,model_payment_transaction,base.group_system,1,1,1,1
\ No newline at end of file
diff --git a/addons/payment/security/payment_security.xml b/addons/payment/security/payment_security.xml
new file mode 100644
index 00000000000..7bae346c648
--- /dev/null
+++ b/addons/payment/security/payment_security.xml
@@ -0,0 +1,24 @@
+
+
+
+
+
+ Access own payment transaction only
+
+ [
+ '|',
+ ('partner_id','=',False),
+ ('partner_id','=',user.partner_id.id)
+ ]
+
+
+
+
+ Access every payment transaction
+
+ [(1, '=', 1)]
+
+
+
+
+
diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py
index 3021c685e90..c94622a690b 100644
--- a/addons/payment_paypal/models/paypal.py
+++ b/addons/payment_paypal/models/paypal.py
@@ -14,6 +14,7 @@ from openerp.addons.payment.models.payment_acquirer import ValidationError
from openerp.addons.payment_paypal.controllers.main import PaypalController
from openerp.osv import osv, fields
from openerp.tools.float_utils import float_compare
+from openerp import SUPERUSER_ID
_logger = logging.getLogger(__name__)
@@ -69,13 +70,14 @@ class AcquirerPaypal(osv.Model):
res = cr.fetchall()
for (company_id, company_paypal_account) in res:
if company_paypal_account:
- company_paypal_ids = self.search(cr, uid, [('company_id', '=', company_id), ('name', '=', 'paypal')], limit=1, context=context)
+ company_paypal_ids = self.search(cr, uid, [('company_id', '=', company_id), ('provider', '=', 'paypal')], limit=1, context=context)
if company_paypal_ids:
self.write(cr, uid, company_paypal_ids, {'paypal_email_account': company_paypal_account}, context=context)
else:
paypal_view = self.pool['ir.model.data'].get_object(cr, uid, 'payment_paypal', 'paypal_acquirer_button')
self.create(cr, uid, {
- 'name': 'paypal',
+ 'name': 'Paypal',
+ 'provider': 'paypal',
'paypal_email_account': company_paypal_account,
'view_template_id': paypal_view.id,
}, context=context)
@@ -104,7 +106,7 @@ class AcquirerPaypal(osv.Model):
return fees
def paypal_form_generate_values(self, cr, uid, id, partner_values, tx_values, context=None):
- base_url = self.pool['ir.config_parameter'].get_param(cr, uid, 'web.base.url')
+ base_url = self.pool['ir.config_parameter'].get_param(cr, SUPERUSER_ID, 'web.base.url')
acquirer = self.browse(cr, uid, id, context=context)
paypal_tx_values = dict(tx_values)
diff --git a/addons/point_of_sale/point_of_sale.py b/addons/point_of_sale/point_of_sale.py
index 67fdf5cf196..aeb1ca8ea46 100644
--- a/addons/point_of_sale/point_of_sale.py
+++ b/addons/point_of_sale/point_of_sale.py
@@ -396,6 +396,7 @@ class pos_session(osv.osv):
if not cashids:
cashids = journal_proxy.search(cr, uid, [('journal_user','=',True)], context=context)
+ journal_proxy.write(cr, uid, cashids, {'journal_user': True})
jobj.write(cr, uid, [pos_config.id], {'journal_ids': [(6,0, cashids)]})
diff --git a/addons/portal_sale/security/ir.model.access.csv b/addons/portal_sale/security/ir.model.access.csv
index 02c4db9fb1c..88cd0e961d3 100644
--- a/addons/portal_sale/security/ir.model.access.csv
+++ b/addons/portal_sale/security/ir.model.access.csv
@@ -9,3 +9,7 @@ access_product_list,product.pricelist,product.model_product_pricelist,base.group
access_res_partner,res.partner,base.model_res_partner,base.group_portal,1,0,0,0
access_account_tax,account.tax,account.model_account_tax,base.group_portal,1,0,0,0
access_res_partner_category,res.partner.category,base.model_res_partner_category,base.group_portal,1,0,0,0
+access_product_attribute_portal,product.attribute portal,product.model_product_attribute,base.group_portal,1,0,0,0
+access_product_attribute_value_portal,product.attribute value portal,product.model_product_attribute_value,base.group_portal,1,0,0,0
+access_product_attribute_price_portal,product.attribute price portal,product.model_product_attribute_price,base.group_portal,1,0,0,0
+access_product_attribute_line_portal,product.attribute line portal,product.model_product_attribute_line,base.group_portal,1,0,0,0
diff --git a/addons/website_sale/controllers/main.py b/addons/website_sale/controllers/main.py
index 537f2f004f7..75d5a4058af 100644
--- a/addons/website_sale/controllers/main.py
+++ b/addons/website_sale/controllers/main.py
@@ -700,7 +700,7 @@ class website_sale(http.Controller):
}
tx_ids = request.registry['payment.transaction'].search(
- cr, uid, [
+ cr, SUPERUSER_ID, [
'|', ('sale_order_id', '=', order.id), ('reference', '=', order.name)
], context=context)
@@ -715,7 +715,7 @@ class website_sale(http.Controller):
message = ""
validation = None
else:
- tx = request.registry['payment.transaction'].browse(cr, uid, tx_ids[0], context=context)
+ tx = request.registry['payment.transaction'].browse(cr, SUPERUSER_ID, tx_ids[0], context=context)
state = tx.state
if state == 'done':
message = '%s
' % _('Your payment has been received.')
diff --git a/addons/website_sale/models/sale_order.py b/addons/website_sale/models/sale_order.py
index 60785910834..ebc7bcab5b7 100644
--- a/addons/website_sale/models/sale_order.py
+++ b/addons/website_sale/models/sale_order.py
@@ -205,9 +205,9 @@ class website(orm.Model):
transaction_obj = self.pool.get('payment.transaction')
tx_id = request.session.get('sale_transaction_id')
if tx_id:
- tx_ids = transaction_obj.search(cr, uid, [('id', '=', tx_id), ('state', 'not in', ['cancel'])], context=context)
+ tx_ids = transaction_obj.search(cr, SUPERUSER_ID, [('id', '=', tx_id), ('state', 'not in', ['cancel'])], context=context)
if tx_ids:
- return transaction_obj.browse(cr, uid, tx_ids[0], context=context)
+ return transaction_obj.browse(cr, SUPERUSER_ID, tx_ids[0], context=context)
else:
request.session['sale_transaction_id'] = False
return False
diff --git a/addons/website_sale/views/sale_order.xml b/addons/website_sale/views/sale_order.xml
index ad90e1e7c43..2568ec21603 100644
--- a/addons/website_sale/views/sale_order.xml
+++ b/addons/website_sale/views/sale_order.xml
@@ -8,8 +8,8 @@
-
-
+
+
diff --git a/openerp/models.py b/openerp/models.py
index da53a763376..6b909be1043 100644
--- a/openerp/models.py
+++ b/openerp/models.py
@@ -3694,6 +3694,7 @@ class BaseModel(object):
readonly = None
self.check_field_access_rights(cr, user, 'write', vals.keys())
+ deleted_related = defaultdict(list)
for field in vals.keys():
fobj = None
if field in self._columns:
@@ -3702,6 +3703,10 @@ class BaseModel(object):
fobj = self._inherit_fields[field][2]
if not fobj:
continue
+ if fobj._type in ['one2many', 'many2many'] and vals[field]:
+ for wtuple in vals[field]:
+ if isinstance(wtuple, (tuple, list)) and wtuple[0] == 2:
+ deleted_related[fobj._obj].append(wtuple[1])
groups = fobj.write
if groups:
@@ -3905,7 +3910,8 @@ class BaseModel(object):
for id in ids_to_update:
if id not in done[key]:
done[key][id] = True
- todo.append(id)
+ if id not in deleted_related[model_name]:
+ todo.append(id)
self.pool[model_name]._store_set_values(cr, user, todo, fields_to_recompute, context)
# recompute new-style fields
diff --git a/openerp/modules/loading.py b/openerp/modules/loading.py
index 0568b0d1a38..61e573de3ff 100644
--- a/openerp/modules/loading.py
+++ b/openerp/modules/loading.py
@@ -278,6 +278,7 @@ def load_modules(db, force_demo=False, status=None, update_module=False):
if not openerp.modules.db.is_initialized(cr):
_logger.info("init db")
openerp.modules.db.initialize(cr)
+ update_module = True # process auto-installed modules
tools.config["init"]["all"] = 1
tools.config['update']['all'] = 1
if not tools.config['without_demo']: