[FIX] ir_attachment: upload of attachment for non-employees

This rev. is related to eb9113c04d if a model or a resource id is not defined on an attachment restrict access to employees only if the creator of this attachment is not the current user. So non-employees can access their attachments without models/resource id, which includes attachment of discussions threads. Fixes #4309 Closes #4310
2015-04-03 12:40:57 +02:00 · 2015-04-03 12:40:57 +02:00 · eaad70daac
parent 3bd29a3483
commit eaad70daac
1 changed files with 4 additions and 3 deletions
--- a/openerp/addons/base/ir/ir_attachment.py
+++ b/openerp/addons/base/ir/ir_attachment.py
@ -197,10 +197,11 @@ class ir_attachment(osv.osv):
        if ids:
            if isinstance(ids, (int, long)):
                ids = [ids]
-            cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,))
-            for rmod, rid in cr.fetchall():
+            cr.execute('SELECT DISTINCT res_model, res_id, create_uid FROM ir_attachment WHERE id = ANY (%s)', (ids,))
+            for rmod, rid, create_uid in cr.fetchall():
                if not (rmod and rid):
-                    require_employee = True
+                    if create_uid != uid:
+                        require_employee = True
                    continue
                res_ids.setdefault(rmod,set()).add(rid)
        if values: