From 32f51689742cdec79ad2bc41ac37bb53fbb6f199 Mon Sep 17 00:00:00 2001 From: Martin Trigaux Date: Mon, 15 Sep 2014 15:24:43 +0200 Subject: [PATCH 01/14] [FIX] orm: do not drop foreign keys of transient models During the update of a module, the existing foreign keys are dropped if they have a different ondelete_rule than the one specified on the field. The foreign keys for many2one transiant -> non-transiant are created with cascade rule by default (see `m2o_add_foreign_key_checked` method) so the check needs to be realised in the same conditions. --- openerp/osv/orm.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openerp/osv/orm.py b/openerp/osv/orm.py index 9bf10df39d6..07ed496000c 100644 --- a/openerp/osv/orm.py +++ b/openerp/osv/orm.py @@ -3016,6 +3016,9 @@ class BaseModel(object): if len(constraints) == 1: # Is it the right constraint? cons, = constraints + if self.is_transient() and not dest_model.is_transient(): + # transient foreign keys are added as cascade by default + ondelete = ondelete or 'cascade' if cons['ondelete_rule'] != POSTGRES_CONFDELTYPES.get((ondelete or 'set null').upper(), 'a')\ or cons['foreign_table'] != dest_model._table: # Wrong FK: drop it and recreate From 74072441cccb1cadb747e358e1af4a42d1399b86 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Tue, 13 May 2014 10:15:01 +0200 Subject: [PATCH 02/14] [FIX] sale: backport of rev 709e22c32aca [FIX] sale: sale report view, wrong domain Quotations are sale.order with state draft and sent Sale orders are sale.order with state other than draft, sent and cancel --- addons/sale/report/sale_report_view.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/addons/sale/report/sale_report_view.xml b/addons/sale/report/sale_report_view.xml index 8f725a9eacb..7ddba9b60a7 100644 --- a/addons/sale/report/sale_report_view.xml +++ b/addons/sale/report/sale_report_view.xml @@ -48,8 +48,8 @@ - - + + From 67eb6894b8620b8ef29cb1b85abb7dcf1ff57b2d Mon Sep 17 00:00:00 2001 From: Martin Trigaux Date: Tue, 16 Sep 2014 14:30:16 +0200 Subject: [PATCH 03/14] [FIX] portal_sale: security rules matching the one of public user The portal users had no access to the attributes objects (while the public user does) and was not allowed to render the shop page. Fixes #1961 --- addons/portal_sale/security/ir.model.access.csv | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/addons/portal_sale/security/ir.model.access.csv b/addons/portal_sale/security/ir.model.access.csv index 02c4db9fb1c..88cd0e961d3 100644 --- a/addons/portal_sale/security/ir.model.access.csv +++ b/addons/portal_sale/security/ir.model.access.csv @@ -9,3 +9,7 @@ access_product_list,product.pricelist,product.model_product_pricelist,base.group access_res_partner,res.partner,base.model_res_partner,base.group_portal,1,0,0,0 access_account_tax,account.tax,account.model_account_tax,base.group_portal,1,0,0,0 access_res_partner_category,res.partner.category,base.model_res_partner_category,base.group_portal,1,0,0,0 +access_product_attribute_portal,product.attribute portal,product.model_product_attribute,base.group_portal,1,0,0,0 +access_product_attribute_value_portal,product.attribute value portal,product.model_product_attribute_value,base.group_portal,1,0,0,0 +access_product_attribute_price_portal,product.attribute price portal,product.model_product_attribute_price,base.group_portal,1,0,0,0 +access_product_attribute_line_portal,product.attribute line portal,product.model_product_attribute_line,base.group_portal,1,0,0,0 From d99835ee9c5adcce99abe41363316b63cfb29404 Mon Sep 17 00:00:00 2001 From: Martin Trigaux Date: Tue, 16 Sep 2014 15:27:56 +0200 Subject: [PATCH 04/14] [FIX] payment: access rights limitation Do not allow everybody to access account.transactions. Restrict by default to readonly and even restrict the access with a record rule, give access to salesman. --- addons/payment/__openerp__.py | 1 + addons/payment/security/ir.model.access.csv | 2 +- addons/payment/security/payment_security.xml | 24 ++++++++++++++++++++ addons/payment_paypal/models/paypal.py | 3 ++- addons/website_payment/__openerp__.py | 1 + addons/website_payment/payment_security.xml | 10 ++++++++ 6 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 addons/payment/security/payment_security.xml create mode 100644 addons/website_payment/payment_security.xml diff --git a/addons/payment/__openerp__.py b/addons/payment/__openerp__.py index c192bec7c1b..a3843a872c1 100644 --- a/addons/payment/__openerp__.py +++ b/addons/payment/__openerp__.py @@ -12,6 +12,7 @@ 'views/payment_acquirer.xml', 'views/res_config_view.xml', 'security/ir.model.access.csv', + 'security/payment_security.xml', ], 'installable': True, 'auto_install': True, diff --git a/addons/payment/security/ir.model.access.csv b/addons/payment/security/ir.model.access.csv index 18f98939472..f52f9a44d4e 100644 --- a/addons/payment/security/ir.model.access.csv +++ b/addons/payment/security/ir.model.access.csv @@ -2,6 +2,6 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink payment_acquirer_all,payment.acquirer.all,model_payment_acquirer,,1,0,0,0 payment_acquirer_user,payment.acquirer.user,model_payment_acquirer,base.group_user,1,1,1,0 payment_acquirer_system,payment.acquirer.system,model_payment_acquirer,base.group_system,1,1,1,1 -payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,1,1,0 +payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,0,0,0 payment_transaction_user,payment.transaction.user,model_payment_transaction,base.group_user,1,1,1,0 payment_transaction_system,payment.transaction.system,model_payment_transaction,base.group_system,1,1,1,1 \ No newline at end of file diff --git a/addons/payment/security/payment_security.xml b/addons/payment/security/payment_security.xml new file mode 100644 index 00000000000..8fb4def2811 --- /dev/null +++ b/addons/payment/security/payment_security.xml @@ -0,0 +1,24 @@ + + + + + + Access own payment transaction only + + [ + '|', + ('partner_id','=',False), + ('partner_id','=',user.partner_id.id) + ] + + + + + Access every payment transaction + + [(1, '=', 1)] + + + + + diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py index a17f6ac83b5..bade2343fa9 100644 --- a/addons/payment_paypal/models/paypal.py +++ b/addons/payment_paypal/models/paypal.py @@ -14,6 +14,7 @@ from openerp.addons.payment.models.payment_acquirer import ValidationError from openerp.addons.payment_paypal.controllers.main import PaypalController from openerp.osv import osv, fields from openerp.tools.float_utils import float_compare +from openerp import SUPERUSER_ID _logger = logging.getLogger(__name__) @@ -99,7 +100,7 @@ class AcquirerPaypal(osv.Model): return fees def paypal_form_generate_values(self, cr, uid, id, partner_values, tx_values, context=None): - base_url = self.pool['ir.config_parameter'].get_param(cr, uid, 'web.base.url') + base_url = self.pool['ir.config_parameter'].get_param(cr, SUPERUSER_ID, 'web.base.url') acquirer = self.browse(cr, uid, id, context=context) paypal_tx_values = dict(tx_values) diff --git a/addons/website_payment/__openerp__.py b/addons/website_payment/__openerp__.py index c745f643fec..4c13b562b5e 100644 --- a/addons/website_payment/__openerp__.py +++ b/addons/website_payment/__openerp__.py @@ -12,6 +12,7 @@ 'payment', ], 'data': [ + 'payment_security.xml', 'views/website_payment_templates.xml', 'views/website_settings_payment.xml', ], diff --git a/addons/website_payment/payment_security.xml b/addons/website_payment/payment_security.xml new file mode 100644 index 00000000000..d8aafa15631 --- /dev/null +++ b/addons/website_payment/payment_security.xml @@ -0,0 +1,10 @@ + + + + + + + + + + From ce84d6107f08a065f4b90cb8dfb7f960e908f312 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Tue, 16 Sep 2014 17:55:14 +0200 Subject: [PATCH 05/14] [FIX] point_of_sale: set journal as pos payment method on setting journal in the payment methods of a pos config when none is set. --- addons/point_of_sale/point_of_sale.py | 1 + 1 file changed, 1 insertion(+) diff --git a/addons/point_of_sale/point_of_sale.py b/addons/point_of_sale/point_of_sale.py index a6131bca31b..d969de76c9e 100644 --- a/addons/point_of_sale/point_of_sale.py +++ b/addons/point_of_sale/point_of_sale.py @@ -325,6 +325,7 @@ class pos_session(osv.osv): if not cashids: cashids = journal_proxy.search(cr, uid, [('journal_user','=',True)], context=context) + journal_proxy.write(cr, uid, cashids, {'journal_user': True}) jobj.write(cr, uid, [pos_config.id], {'journal_ids': [(6,0, cashids)]}) From 0a9c64c17de3208231d3ff982c034f25c608c6fb Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Tue, 16 Sep 2014 18:33:42 +0200 Subject: [PATCH 06/14] [FIX] auth_ldap: avoid to try twice the authentication to the ldap server See #1982 --- addons/auth_ldap/users_ldap.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/addons/auth_ldap/users_ldap.py b/addons/auth_ldap/users_ldap.py index a09b6839ab9..e253874d33a 100644 --- a/addons/auth_ldap/users_ldap.py +++ b/addons/auth_ldap/users_ldap.py @@ -251,6 +251,10 @@ class users(osv.osv): return user_id registry = RegistryManager.get(db) with registry.cursor() as cr: + cr.execute("SELECT id, active FROM res_users WHERE lower(login)=%s", (login,)) + res = cr.fetchone() + if res: + return False ldap_obj = registry.get('res.company.ldap') for conf in ldap_obj.get_ldap_dicts(cr): entry = ldap_obj.authenticate(conf, login, password) From 199a8c40f57ad7ca33a02d631ffc05b801f70308 Mon Sep 17 00:00:00 2001 From: Christophe Simonis Date: Tue, 16 Sep 2014 19:50:45 +0200 Subject: [PATCH 07/14] [FIX] payment_paypal: create account with at least required fields --- addons/payment_paypal/models/paypal.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py index 3021c685e90..10ace891bcd 100644 --- a/addons/payment_paypal/models/paypal.py +++ b/addons/payment_paypal/models/paypal.py @@ -75,7 +75,8 @@ class AcquirerPaypal(osv.Model): else: paypal_view = self.pool['ir.model.data'].get_object(cr, uid, 'payment_paypal', 'paypal_acquirer_button') self.create(cr, uid, { - 'name': 'paypal', + 'name': 'Paypal', + 'provider': 'paypal', 'paypal_email_account': company_paypal_account, 'view_template_id': paypal_view.id, }, context=context) From f7511e7a6cbedb0207ac5e716346051e3c4c3e2b Mon Sep 17 00:00:00 2001 From: Christophe Simonis Date: Tue, 16 Sep 2014 19:53:14 +0200 Subject: [PATCH 08/14] [FIX] payment_paypal: paypal account migration: correct search of existing providers --- addons/payment_paypal/models/paypal.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py index 10ace891bcd..21b0fac68bc 100644 --- a/addons/payment_paypal/models/paypal.py +++ b/addons/payment_paypal/models/paypal.py @@ -69,7 +69,7 @@ class AcquirerPaypal(osv.Model): res = cr.fetchall() for (company_id, company_paypal_account) in res: if company_paypal_account: - company_paypal_ids = self.search(cr, uid, [('company_id', '=', company_id), ('name', '=', 'paypal')], limit=1, context=context) + company_paypal_ids = self.search(cr, uid, [('company_id', '=', company_id), ('provider', '=', 'paypal')], limit=1, context=context) if company_paypal_ids: self.write(cr, uid, company_paypal_ids, {'paypal_email_account': company_paypal_account}, context=context) else: From 28a27a9f91522ca9cb5387f98e56b1cc300a8dd0 Mon Sep 17 00:00:00 2001 From: Martin Trigaux Date: Wed, 17 Sep 2014 11:05:32 +0200 Subject: [PATCH 09/14] [IMP] payment: simplify rev d99835e The group public is defined in base so no need to add security rule in website_payment module (same as for portal) --- addons/payment/security/payment_security.xml | 2 +- addons/website_payment/__openerp__.py | 1 - addons/website_payment/payment_security.xml | 10 ---------- 3 files changed, 1 insertion(+), 12 deletions(-) delete mode 100644 addons/website_payment/payment_security.xml diff --git a/addons/payment/security/payment_security.xml b/addons/payment/security/payment_security.xml index 8fb4def2811..7bae346c648 100644 --- a/addons/payment/security/payment_security.xml +++ b/addons/payment/security/payment_security.xml @@ -10,7 +10,7 @@ ('partner_id','=',False), ('partner_id','=',user.partner_id.id) ] - + diff --git a/addons/website_payment/__openerp__.py b/addons/website_payment/__openerp__.py index 4c13b562b5e..c745f643fec 100644 --- a/addons/website_payment/__openerp__.py +++ b/addons/website_payment/__openerp__.py @@ -12,7 +12,6 @@ 'payment', ], 'data': [ - 'payment_security.xml', 'views/website_payment_templates.xml', 'views/website_settings_payment.xml', ], diff --git a/addons/website_payment/payment_security.xml b/addons/website_payment/payment_security.xml deleted file mode 100644 index d8aafa15631..00000000000 --- a/addons/website_payment/payment_security.xml +++ /dev/null @@ -1,10 +0,0 @@ - - - - - - - - - - From 2ee1843757e87a75a36dce29eb47f784a4725c34 Mon Sep 17 00:00:00 2001 From: Martin Trigaux Date: Wed, 17 Sep 2014 12:28:21 +0200 Subject: [PATCH 10/14] [FIX] website_sale: retrieve transactions as superuser Due to additional security rules, the transactions made as public user will have a new partner_id. The transaction needs to be retrieved as admin to be set in the context. The operations in payment_get_status are made as superuser but the session_id is checked in the assert above to avoid url manipulation. --- addons/website_sale/controllers/main.py | 4 ++-- addons/website_sale/models/website.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/addons/website_sale/controllers/main.py b/addons/website_sale/controllers/main.py index 083f9651fd1..0e193243cc1 100644 --- a/addons/website_sale/controllers/main.py +++ b/addons/website_sale/controllers/main.py @@ -690,7 +690,7 @@ class Ecommerce(http.Controller): } tx_ids = request.registry['payment.transaction'].search( - cr, uid, [ + cr, SUPERUSER_ID, [ '|', ('sale_order_id', '=', order.id), ('reference', '=', order.name) ], context=context) @@ -705,7 +705,7 @@ class Ecommerce(http.Controller): message = "" validation = None else: - tx = request.registry['payment.transaction'].browse(cr, uid, tx_ids[0], context=context) + tx = request.registry['payment.transaction'].browse(cr, SUPERUSER_ID, tx_ids[0], context=context) state = tx.state if state == 'done': message = '

%s

' % _('Your payment has been received.') diff --git a/addons/website_sale/models/website.py b/addons/website_sale/models/website.py index d969d2a9211..2c5de4f9b49 100644 --- a/addons/website_sale/models/website.py +++ b/addons/website_sale/models/website.py @@ -214,7 +214,7 @@ class Website(orm.Model): def preprocess_request(self, cr, uid, ids, request, context=None): request.context.update({ 'website_sale_order': self.ecommerce_get_current_order(cr, uid, context=context), - 'website_sale_transaction': self.ecommerce_get_current_transaction(cr, uid, context=context) + 'website_sale_transaction': self.ecommerce_get_current_transaction(cr, SUPERUSER_ID, context=context) }) return super(Website, self).preprocess_request(cr, uid, ids, request, context=None) From e04a87e11f500f183d4466e0632a4ba7e4c7fee5 Mon Sep 17 00:00:00 2001 From: Martin Trigaux Date: Tue, 16 Sep 2014 17:23:44 +0200 Subject: [PATCH 11/14] [IMP] website_sale: do not show transaction on sale order This object is quite technical and has not purpose to be displayed on a sale order. --- addons/website_sale/views/sale_order.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/addons/website_sale/views/sale_order.xml b/addons/website_sale/views/sale_order.xml index ad90e1e7c43..2568ec21603 100644 --- a/addons/website_sale/views/sale_order.xml +++ b/addons/website_sale/views/sale_order.xml @@ -8,8 +8,8 @@ - - + + From f5f76094a79f515b1fcddfea9b4b2e73c4189c26 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Wed, 17 Sep 2014 13:32:30 +0200 Subject: [PATCH 12/14] [FIX] orm write: do not try to store computed & stored fields for relational records deleted by *2many fields opw-613772 --- openerp/osv/orm.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/openerp/osv/orm.py b/openerp/osv/orm.py index 07ed496000c..f934235d99d 100644 --- a/openerp/osv/orm.py +++ b/openerp/osv/orm.py @@ -55,6 +55,7 @@ import simplejson import time import traceback import types +from collections import defaultdict import psycopg2 from lxml import etree @@ -4166,6 +4167,7 @@ class BaseModel(object): """ readonly = None self.check_field_access_rights(cr, user, 'write', vals.keys()) + deleted_related = defaultdict(list) for field in vals.copy(): fobj = None if field in self._columns: @@ -4174,6 +4176,10 @@ class BaseModel(object): fobj = self._inherit_fields[field][2] if not fobj: continue + if fobj._type in ['one2many', 'many2many'] and vals[field]: + for wtuple in vals[field]: + if isinstance(wtuple, (tuple, list)) and wtuple[0] == 2: + deleted_related[fobj._obj].append(wtuple[1]) groups = fobj.write if groups: @@ -4380,7 +4386,8 @@ class BaseModel(object): for id in ids_to_update: if id not in done[key]: done[key][id] = True - todo.append(id) + if id not in deleted_related[object]: + todo.append(id) self.pool.get(object)._store_set_values(cr, user, todo, fields_to_recompute, context) self._workflow_trigger(cr, user, ids, 'trg_write', context=context) From 938502aa37b53f218a2b48e1fb36f45cb6fa67ef Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 17 Sep 2014 15:09:55 +0200 Subject: [PATCH 13/14] [FIX] loading: always process auto-installed modules for new databases If the server was started without -i or -u and happened to initialize a fresh database, auto-installed modules that depend on `base` only would stay in status "to install" without actually being installed (until the next installation round was triggered). This was of little consequence in 7.0, but causes a crash in 8.0. Fixes #953 --- openerp/modules/loading.py | 1 + 1 file changed, 1 insertion(+) diff --git a/openerp/modules/loading.py b/openerp/modules/loading.py index 6112ef07f7c..5ee4029074e 100644 --- a/openerp/modules/loading.py +++ b/openerp/modules/loading.py @@ -277,6 +277,7 @@ def load_modules(db, force_demo=False, status=None, update_module=False): if not openerp.modules.db.is_initialized(cr): _logger.info("init db") openerp.modules.db.initialize(cr) + update_module = True # process auto-installed modules tools.config["init"]["all"] = 1 tools.config['update']['all'] = 1 if not tools.config['without_demo']: From b6e6b57326d6a8217f58ad69286eec67e6b617d9 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Wed, 17 Sep 2014 16:24:40 +0200 Subject: [PATCH 14/14] [FIX] orm: typo during forward port 60a82133cc0e0d7c4879b6c518054cbd44e20c0c --- openerp/osv/orm.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openerp/osv/orm.py b/openerp/osv/orm.py index 520b2b0f680..bcec1ac98f0 100644 --- a/openerp/osv/orm.py +++ b/openerp/osv/orm.py @@ -4035,7 +4035,7 @@ class BaseModel(object): for id in ids_to_update: if id not in done[key]: done[key][id] = True - if id not in deleted_related[object]: + if id not in deleted_related[model_name]: todo.append(id) self.pool[model_name]._store_set_values(cr, user, todo, fields_to_recompute, context)