[FIX] ir_attachment: restrict access to orphan attachments to employees
This commit is contained in:
parent
f5cf5fd4eb
commit
eb9113c04d
|
@ -28,6 +28,8 @@ import re
|
||||||
from openerp import tools
|
from openerp import tools
|
||||||
from openerp.osv import fields,osv
|
from openerp.osv import fields,osv
|
||||||
from openerp import SUPERUSER_ID
|
from openerp import SUPERUSER_ID
|
||||||
|
from openerp.osv.orm import except_orm
|
||||||
|
from openerp.tools.translate import _
|
||||||
|
|
||||||
_logger = logging.getLogger(__name__)
|
_logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
@ -189,12 +191,14 @@ class ir_attachment(osv.osv):
|
||||||
more complex ones apply there.
|
more complex ones apply there.
|
||||||
"""
|
"""
|
||||||
res_ids = {}
|
res_ids = {}
|
||||||
|
require_employee = False
|
||||||
if ids:
|
if ids:
|
||||||
if isinstance(ids, (int, long)):
|
if isinstance(ids, (int, long)):
|
||||||
ids = [ids]
|
ids = [ids]
|
||||||
cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,))
|
cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,))
|
||||||
for rmod, rid in cr.fetchall():
|
for rmod, rid in cr.fetchall():
|
||||||
if not (rmod and rid):
|
if not (rmod and rid):
|
||||||
|
require_employee = True
|
||||||
continue
|
continue
|
||||||
res_ids.setdefault(rmod,set()).add(rid)
|
res_ids.setdefault(rmod,set()).add(rid)
|
||||||
if values:
|
if values:
|
||||||
|
@ -206,10 +210,16 @@ class ir_attachment(osv.osv):
|
||||||
# ignore attachments that are not attached to a resource anymore when checking access rights
|
# ignore attachments that are not attached to a resource anymore when checking access rights
|
||||||
# (resource was deleted but attachment was not)
|
# (resource was deleted but attachment was not)
|
||||||
if not self.pool.get(model):
|
if not self.pool.get(model):
|
||||||
|
require_employee = True
|
||||||
continue
|
continue
|
||||||
mids = self.pool.get(model).exists(cr, uid, mids)
|
existing_ids = self.pool.get(model).exists(cr, uid, mids)
|
||||||
|
if len(existing_ids) != len(mids):
|
||||||
|
require_employee = True
|
||||||
ima.check(cr, uid, model, mode)
|
ima.check(cr, uid, model, mode)
|
||||||
self.pool.get(model).check_access_rule(cr, uid, mids, mode, context=context)
|
self.pool.get(model).check_access_rule(cr, uid, existing_ids, mode, context=context)
|
||||||
|
if require_employee:
|
||||||
|
if not self.pool['res.users'].has_group(cr, uid, 'base.group_user'):
|
||||||
|
raise except_orm(_('Access Denied'), _("Sorry, you are not allowed to access this document."))
|
||||||
|
|
||||||
def _search(self, cr, uid, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
|
def _search(self, cr, uid, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
|
||||||
ids = super(ir_attachment, self)._search(cr, uid, args, offset=offset,
|
ids = super(ir_attachment, self)._search(cr, uid, args, offset=offset,
|
||||||
|
|
Loading…
Reference in New Issue