Odoo Web (MOVED TO GITHUB)

Merge lp:~openerp-dev/openerp-web/6.1-opw-578551-msh into lp:openerp-web/6.1

  1. 6.1-opw-578551-msh
  2. Merge into 6.1
Proposed by Mohammed Shekha(Open ERP)
Status: Needs review
Proposed branch: lp:~openerp-dev/openerp-web/6.1-opw-578551-msh
Merge into: lp:openerp-web/6.1
Diff against target: 50 lines (+11/-6)
2 files modified
addons/web/static/src/js/data.js (+1/-0)
addons/web/static/src/js/view_form.js (+10/-6)
To merge this branch: bzr merge lp:~openerp-dev/openerp-web/6.1-opw-578551-msh
Reviewer Review Type Date Requested Status
OpenERP Core Team Pending
Review via email: mp+123010@code.launchpad.net

Description of the change

Hello,

Fixed the issue of one2many which sending extra values as a link_to tuple hence for that write is called, due to which access error is generated for the user who has only create access not write access.

Demo :- Edit the access right for any user -> Settings -> Security -> Access Control List -> Search for the Attendance object -> Changed the rights for "Human Resource / Employee" Group remove the write access.
Now Go to Human Resource -> Attendances -> Attendances edit any record and create one one2many line nothing else and save the record.

Result :- It will give access error that user don't have write access, even though record is not edited we have just created a one2many record, which will call create of one2many but due to extra link_to record write is called.

Expected :- Here user didn't touch other field of the form and just created the one2many record, so only that record should be send to server to create, but here other one2many records are also sended with to_link tuple, behaviour should be if there is to_link record then and then tuple (4, id, false) created otherwise only to_create i.e. (0,0,values) should go as a data.

Thanks.

To post a comment you must log in.

Unmerged revisions

2448. By Mohammed Shekha(Open ERP)

[FIX]Fixed the issue of one2many access rights, one2many sends unnecessary values as a link_to.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'addons/web/static/src/js/data.js'
2--- addons/web/static/src/js/data.js 2012-09-03 13:17:44 +0000
3+++ addons/web/static/src/js/data.js 2012-09-06 05:31:22 +0000
4@@ -707,6 +707,7 @@
5 this.to_delete = [];
6 this.to_create = [];
7 this.to_write = [];
8+ this.to_link = [];
9 this.cache = [];
10 this.delete_all = false;
11 },
12
13=== modified file 'addons/web/static/src/js/view_form.js'
14--- addons/web/static/src/js/view_form.js 2012-09-03 13:17:44 +0000
15+++ addons/web/static/src/js/view_form.js 2012-09-06 05:31:22 +0000
16@@ -2584,6 +2584,7 @@
17 self.dataset.to_delete.push({id: command[1]});
18 return;
19 case commands.LINK_TO:
20+ self.dataset.to_link.push({id: command[1]});
21 ids.push(command[1]);
22 return;
23 case commands.DELETE_ALL:
24@@ -2622,17 +2623,20 @@
25 return [];
26 this.save_any_view();
27 var val = this.dataset.delete_all ? [commands.delete_all()] : [];
28- val = val.concat(_.map(this.dataset.ids, function(id) {
29+ _.each(this.dataset.ids, function(id){
30 var alter_order = _.detect(self.dataset.to_create, function(x) {return x.id === id;});
31 if (alter_order) {
32- return commands.create(alter_order.values);
33+ val.push(commands.create(alter_order.values));
34 }
35 alter_order = _.detect(self.dataset.to_write, function(x) {return x.id === id;});
36 if (alter_order) {
37- return commands.update(alter_order.id, alter_order.values);
38- }
39- return commands.link_to(id);
40- }));
41+ val.push(commands.update(alter_order.id, alter_order.values));
42+ }
43+ alter_order = _.detect(self.dataset.to_link, function(x) {return x.id === id;});
44+ if (alter_order) {
45+ val.push(commands.link_to(alter_order.id));
46+ }
47+ });
48 return val.concat(_.map(
49 this.dataset.to_delete, function(x) {
50 return commands['delete'](x.id);}));