[IMP] note: user_id owner field added in model, allowing to tune a bit

the access rules, notably about reading and creation. This allows by the way to remove the hack about the operation in context when subscribing users on a document. The new rules on create and read now include user_id, aka the owner of a note can always create (default value) and read its notes. Also removed an unnecessary field (current_partner_id), as it was buggy and unnecessary; view udpated accordingly. [IMP] mail: removed a hack introduced in saas-3 with the current orm operation in context to by-pass some access rules when subscribing someone on a document. bzr revid: tde@openerp.com-20140219111330-l3hw5324hvuikpjc
2014-02-19 12:13:30 +01:00 · 2014-02-19 12:13:30 +01:00 · f9993774f1
parent fbead8fab1
commit f9993774f1
4 changed files with 33 additions and 37 deletions
--- a/addons/mail/mail_thread.py
+++ b/addons/mail/mail_thread.py
@ -348,11 +348,7 @@ class mail_thread(osv.AbstractModel):
            message_follower_ids = values.get('message_follower_ids') or []  # webclient can send None or False
            message_follower_ids.append([4, pid])
            values['message_follower_ids'] = message_follower_ids
-            # add operation to ignore access rule checking for subscription
-            context_operation = dict(context, operation='create')
-        else:
-            context_operation = context
-        thread_id = super(mail_thread, self).create(cr, uid, values, context=context_operation)
+        thread_id = super(mail_thread, self).create(cr, uid, values, context=context)

        # automatic logging unless asked not to (mainly for various testing purpose)
        if not context.get('mail_create_nolog'):
@ -1558,12 +1554,11 @@ class mail_thread(osv.AbstractModel):

        user_pid = self.pool.get('res.users').browse(cr, uid, uid, context=context).partner_id.id
        if set(partner_ids) == set([user_pid]):
-            if context.get('operation', '') != 'create':
-                try:
-                    self.check_access_rights(cr, uid, 'read')
-                    self.check_access_rule(cr, uid, ids, 'read')
-                except (osv.except_osv, orm.except_orm):
-                    return False
+            try:
+                self.check_access_rights(cr, uid, 'read')
+                self.check_access_rule(cr, uid, ids, 'read')
+            except (osv.except_osv, orm.except_orm):
+                return False
        else:
            self.check_access_rights(cr, uid, 'write')
            self.check_access_rule(cr, uid, ids, 'write')
--- a/addons/note/note.py
+++ b/addons/note/note.py
@ -72,12 +72,6 @@ class note_note(osv.osv):
    def onclick_note_not_done(self, cr, uid, ids, context=None):
        return self.write(cr, uid, ids, {'open': True}, context=context)

-    #used for undisplay the follower if it's the current user
-    def _get_my_current_partner(self, cr, uid, ids, name, args, context=None):
-        user = self.pool.get('res.users').browse(cr, uid, uid, context=context)
-        pid = user.partner_id and user.partner_id.id or False
-        return dict.fromkeys(ids, pid)
-
    #return the default stage for the uid user
    def _get_default_stage_id(self,cr,uid,context=None):
        ids = self.pool.get('note.stage').search(cr,uid,[('user_id','=',uid)], context=context)
@ -101,6 +95,7 @@ class note_note(osv.osv):
        'name': fields.function(_get_note_first_line, 
            string='Note Summary', 
            type='text', store=True),
+        'user_id': fields.many2one('res.users', 'Owner'),
        'memo': fields.html('Note Content'),
        'sequence': fields.integer('Sequence'),
        'stage_id': fields.function(_get_stage_per_user, 
@ -113,9 +108,9 @@ class note_note(osv.osv):
        'date_done': fields.date('Date done'),
        'color': fields.integer('Color Index'),
        'tag_ids' : fields.many2many('note.tag','note_tags_rel','note_id','tag_id','Tags'),
-        'current_partner_id' : fields.function(_get_my_current_partner, type="many2one", relation='res.partner', string="Owner"),
    }
    _defaults = {
+        'user_id': lambda self, cr, uid, ctx=None: uid,
        'open' : 1,
        'stage_id' : _get_default_stage_id,
    }
--- a/addons/note/note_view.xml
+++ b/addons/note/note_view.xml
@ -49,7 +49,6 @@
          <field name="open"/>
          <field name="memo"/>
          <field name="date_done"/>
-          <field name="current_partner_id"/>
          <field name="message_follower_ids"/>
          <field name="tag_ids"/>
          <templates>
@ -82,7 +81,7 @@
                <field name="tag_ids"/>
                <div class="oe_right">
                  <t t-foreach="record.message_follower_ids.raw_value" t-as="follower">
-                    <img t-if="record.current_partner_id.raw_value!=follower" t-att-src="kanban_image('res.partner', 'image_small', follower)" width="24" height="24" class="oe_kanban_avatar" t-att-data-member_id="follower"/>
+                    <img t-att-src="kanban_image('res.partner', 'image_small', follower)" width="24" height="24" class="oe_kanban_avatar" t-att-data-member_id="follower"/>
                  </t>
                </div>
                <div class="oe_clear"></div>
--- a/addons/note/security/ir.rule.xml
+++ b/addons/note/security/ir.rule.xml
@ -1,23 +1,30 @@
 <?xml version="1.0"?>
 <openerp>
 <data>
-  <record id="note_note_rule_global" model="ir.rule">
-    <field name="name">Only followers can access a sticky notes</field>
-    <field ref="model_note_note" name="model_id"/>
-    <field name="domain_force">[('message_follower_ids','=',user.partner_id.id)]</field>
-    <field eval="True" name="global"/>
-    <field eval="1" name="perm_unlink"/>
-    <field eval="0" name="perm_write"/>
-    <field eval="1" name="perm_read"/>
-    <field eval="0" name="perm_create"/>
-  </record>
+    <record id="note_note_rule_global" model="ir.rule">
+        <field name="name">Only followers can access a sticky notes</field>
+        <field name="model_id" ref="model_note_note"/>
+        <field name="domain_force">['|', ('user_id', '=', user.id), ('message_follower_ids', '=', user.partner_id.id)]</field>
+        <field name="global" eval="True"/>
+        <field name="perm_create" eval="False"/>
+        <field name="perm_unlink" eval="False"/>
+    </record>
+
+    <record id="note_note_create_unlink_global" model="ir.rule">
+        <field name="name">note: create / unlink: responsible</field>
+        <field name="model_id" ref="model_note_note"/>
+        <field name="domain_force">[('user_id', '=', user.id)]</field>
+        <field name="global" eval="True"/>
+        <field name="perm_write" eval="False"/>
+        <field name="perm_read" eval="False"/>
+    </record>
+
+    <record id="note_stage_rule_global" model="ir.rule">
+        <field name="name">Each user have his stage name</field>
+        <field name="model_id" ref="model_note_stage"/>
+        <field name="domain_force">['|',('user_id','=',False),('user_id','=',user.id)]</field>
+        <field name="global" eval="True"/>
+    </record>

-  <record id="note_stage_rule_global" model="ir.rule">
-    <field name="name">Each user have his stage name</field>
-    <field ref="model_note_stage" name="model_id"/>
-    <field name="domain_force">['|',('user_id','=',False),('user_id','=',user.id)]</field>
-    <field eval="True" name="global"/>
-  </record>
 </data>
 </openerp>
-