[FIX] ir_attachment: upload of attachment for non-employees
This rev. is related to eb9113c04d
if a model or a resource id is not defined on an attachment
restrict access to employees only if the creator
of this attachment is not the current user.
So non-employees can access their attachments without
models/resource id, which includes attachment of
discussions threads.
Fixes #4309
Closes #4310
This commit is contained in:
parent
3bd29a3483
commit
eaad70daac
|
@ -197,10 +197,11 @@ class ir_attachment(osv.osv):
|
|||
if ids:
|
||||
if isinstance(ids, (int, long)):
|
||||
ids = [ids]
|
||||
cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,))
|
||||
for rmod, rid in cr.fetchall():
|
||||
cr.execute('SELECT DISTINCT res_model, res_id, create_uid FROM ir_attachment WHERE id = ANY (%s)', (ids,))
|
||||
for rmod, rid, create_uid in cr.fetchall():
|
||||
if not (rmod and rid):
|
||||
require_employee = True
|
||||
if create_uid != uid:
|
||||
require_employee = True
|
||||
continue
|
||||
res_ids.setdefault(rmod,set()).add(rid)
|
||||
if values:
|
||||
|
|
Loading…
Reference in New Issue