From f9993774f1ebe197fb72cce66a209c902d3dd9dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thibault=20Delavall=C3=A9e?= <tde@openerp.com>
Date: Wed, 19 Feb 2014 12:13:30 +0100
Subject: [PATCH] [IMP] note: user_id owner field added in model, allowing to
 tune a bit the access rules, notably about reading and creation. This allows
 by the way to remove the hack about the operation in context when subscribing
 users on a document. The new rules on create and read now include user_id,
 aka the owner of a note can always create (default value) and read its notes.
 Also removed an unnecessary field (current_partner_id), as it was buggy and
 unnecessary; view udpated accordingly.

[IMP] mail: removed a hack introduced in saas-3 with the current orm operation
in context to by-pass some access rules when subscribing someone on a document.

bzr revid: tde@openerp.com-20140219111330-l3hw5324hvuikpjc
---
 addons/mail/mail_thread.py       | 17 +++++--------
 addons/note/note.py              |  9 ++-----
 addons/note/note_view.xml        |  3 +--
 addons/note/security/ir.rule.xml | 41 +++++++++++++++++++-------------
 4 files changed, 33 insertions(+), 37 deletions(-)

diff --git a/addons/mail/mail_thread.py b/addons/mail/mail_thread.py
index 9a8adee31c3..eea95a6c5ed 100644
--- a/addons/mail/mail_thread.py
+++ b/addons/mail/mail_thread.py
@@ -348,11 +348,7 @@ class mail_thread(osv.AbstractModel):
             message_follower_ids = values.get('message_follower_ids') or []  # webclient can send None or False
             message_follower_ids.append([4, pid])
             values['message_follower_ids'] = message_follower_ids
-            # add operation to ignore access rule checking for subscription
-            context_operation = dict(context, operation='create')
-        else:
-            context_operation = context
-        thread_id = super(mail_thread, self).create(cr, uid, values, context=context_operation)
+        thread_id = super(mail_thread, self).create(cr, uid, values, context=context)
 
         # automatic logging unless asked not to (mainly for various testing purpose)
         if not context.get('mail_create_nolog'):
@@ -1558,12 +1554,11 @@ class mail_thread(osv.AbstractModel):
 
         user_pid = self.pool.get('res.users').browse(cr, uid, uid, context=context).partner_id.id
         if set(partner_ids) == set([user_pid]):
-            if context.get('operation', '') != 'create':
-                try:
-                    self.check_access_rights(cr, uid, 'read')
-                    self.check_access_rule(cr, uid, ids, 'read')
-                except (osv.except_osv, orm.except_orm):
-                    return False
+            try:
+                self.check_access_rights(cr, uid, 'read')
+                self.check_access_rule(cr, uid, ids, 'read')
+            except (osv.except_osv, orm.except_orm):
+                return False
         else:
             self.check_access_rights(cr, uid, 'write')
             self.check_access_rule(cr, uid, ids, 'write')
diff --git a/addons/note/note.py b/addons/note/note.py
index 00c67c37191..7f03f43b36a 100644
--- a/addons/note/note.py
+++ b/addons/note/note.py
@@ -72,12 +72,6 @@ class note_note(osv.osv):
     def onclick_note_not_done(self, cr, uid, ids, context=None):
         return self.write(cr, uid, ids, {'open': True}, context=context)
 
-    #used for undisplay the follower if it's the current user
-    def _get_my_current_partner(self, cr, uid, ids, name, args, context=None):
-        user = self.pool.get('res.users').browse(cr, uid, uid, context=context)
-        pid = user.partner_id and user.partner_id.id or False
-        return dict.fromkeys(ids, pid)
-
     #return the default stage for the uid user
     def _get_default_stage_id(self,cr,uid,context=None):
         ids = self.pool.get('note.stage').search(cr,uid,[('user_id','=',uid)], context=context)
@@ -101,6 +95,7 @@ class note_note(osv.osv):
         'name': fields.function(_get_note_first_line, 
             string='Note Summary', 
             type='text', store=True),
+        'user_id': fields.many2one('res.users', 'Owner'),
         'memo': fields.html('Note Content'),
         'sequence': fields.integer('Sequence'),
         'stage_id': fields.function(_get_stage_per_user, 
@@ -113,9 +108,9 @@ class note_note(osv.osv):
         'date_done': fields.date('Date done'),
         'color': fields.integer('Color Index'),
         'tag_ids' : fields.many2many('note.tag','note_tags_rel','note_id','tag_id','Tags'),
-        'current_partner_id' : fields.function(_get_my_current_partner, type="many2one", relation='res.partner', string="Owner"),
     }
     _defaults = {
+        'user_id': lambda self, cr, uid, ctx=None: uid,
         'open' : 1,
         'stage_id' : _get_default_stage_id,
     }
diff --git a/addons/note/note_view.xml b/addons/note/note_view.xml
index f3b9e4669c7..35d4ce316fc 100644
--- a/addons/note/note_view.xml
+++ b/addons/note/note_view.xml
@@ -49,7 +49,6 @@
           <field name="open"/>
           <field name="memo"/>
           <field name="date_done"/>
-          <field name="current_partner_id"/>
           <field name="message_follower_ids"/>
           <field name="tag_ids"/>
           <templates>
@@ -82,7 +81,7 @@
                 <field name="tag_ids"/>
                 <div class="oe_right">
                   <t t-foreach="record.message_follower_ids.raw_value" t-as="follower">
-                    <img t-if="record.current_partner_id.raw_value!=follower" t-att-src="kanban_image('res.partner', 'image_small', follower)" width="24" height="24" class="oe_kanban_avatar" t-att-data-member_id="follower"/>
+                    <img t-att-src="kanban_image('res.partner', 'image_small', follower)" width="24" height="24" class="oe_kanban_avatar" t-att-data-member_id="follower"/>
                   </t>
                 </div>
                 <div class="oe_clear"></div>
diff --git a/addons/note/security/ir.rule.xml b/addons/note/security/ir.rule.xml
index 2c6e9f3bc7f..2b9645cc9d4 100644
--- a/addons/note/security/ir.rule.xml
+++ b/addons/note/security/ir.rule.xml
@@ -1,23 +1,30 @@
 <?xml version="1.0"?>
 <openerp>
 <data>
-  <record id="note_note_rule_global" model="ir.rule">
-    <field name="name">Only followers can access a sticky notes</field>
-    <field ref="model_note_note" name="model_id"/>
-    <field name="domain_force">[('message_follower_ids','=',user.partner_id.id)]</field>
-    <field eval="True" name="global"/>
-    <field eval="1" name="perm_unlink"/>
-    <field eval="0" name="perm_write"/>
-    <field eval="1" name="perm_read"/>
-    <field eval="0" name="perm_create"/>
-  </record>
+    <record id="note_note_rule_global" model="ir.rule">
+        <field name="name">Only followers can access a sticky notes</field>
+        <field name="model_id" ref="model_note_note"/>
+        <field name="domain_force">['|', ('user_id', '=', user.id), ('message_follower_ids', '=', user.partner_id.id)]</field>
+        <field name="global" eval="True"/>
+        <field name="perm_create" eval="False"/>
+        <field name="perm_unlink" eval="False"/>
+    </record>
+
+    <record id="note_note_create_unlink_global" model="ir.rule">
+        <field name="name">note: create / unlink: responsible</field>
+        <field name="model_id" ref="model_note_note"/>
+        <field name="domain_force">[('user_id', '=', user.id)]</field>
+        <field name="global" eval="True"/>
+        <field name="perm_write" eval="False"/>
+        <field name="perm_read" eval="False"/>
+    </record>
+
+    <record id="note_stage_rule_global" model="ir.rule">
+        <field name="name">Each user have his stage name</field>
+        <field name="model_id" ref="model_note_stage"/>
+        <field name="domain_force">['|',('user_id','=',False),('user_id','=',user.id)]</field>
+        <field name="global" eval="True"/>
+    </record>
 
-  <record id="note_stage_rule_global" model="ir.rule">
-    <field name="name">Each user have his stage name</field>
-    <field ref="model_note_stage" name="model_id"/>
-    <field name="domain_force">['|',('user_id','=',False),('user_id','=',user.id)]</field>
-    <field eval="True" name="global"/>
-  </record>
 </data>
 </openerp>
-