OpenERP Community Backports (Server)

Merge lp:~therp-nl/ocb-server/6.1-attachment_search_invalid_model into lp:ocb-server/6.1

  1. 6.1-attachment_search_invalid_model
  2. Merge into 6.1
Proposed by Stefan Rijnhart (Opener)
Status: Needs review
Proposed branch: lp:~therp-nl/ocb-server/6.1-attachment_search_invalid_model
Merge into: lp:ocb-server/6.1
Diff against target: 55 lines (+15/-2)
1 file modified
openerp/addons/base/ir/ir_attachment.py (+15/-2)
To merge this branch: bzr merge lp:~therp-nl/ocb-server/6.1-attachment_search_invalid_model
Reviewer Review Type Date Requested Status
Pedro Manuel Baeza Approve
Review via email: mp+250184@code.launchpad.net

Description of the change

Fix problems with accessing attachments with missing models or record ids. Backports of

https://github.com/odoo/odoo/commit/eb9113c04d66627fbe04b473b9010e5de973c6aa
https://github.com/odoo/odoo/commit/4669f05406b07074c38b4d19c0c2ddf4e9407918

To post a comment you must log in.
Revision history for this message
Pedro Manuel Baeza (pedro.baeza) wrote :

LGTM

review: Approve
Reply
lp:~therp-nl/ocb-server/6.1-attachment_search_invalid_model updated
4331. By OpenERP instance user <email address hidden>

[FIX] Can't do that in 6.1 yet

Unmerged revisions

4331. By OpenERP instance user <email address hidden>

[FIX] Can't do that in 6.1 yet

4330. By Denis Ledoux (OpenERP)

[FIX] ir_attachment: restrict access to orphan attachments to employees
and fix crashes when retrieving attachments without existing models or
records

4329. By Denis Ledoux (OpenERP)

[FIX] Don't break attachment search on attachments of models that are removed

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'openerp/addons/base/ir/ir_attachment.py'
2--- openerp/addons/base/ir/ir_attachment.py 2013-09-10 14:15:41 +0000
3+++ openerp/addons/base/ir/ir_attachment.py 2015-02-19 09:01:07 +0000
4@@ -23,6 +23,7 @@
5
6 from osv import fields,osv
7 from osv.orm import except_orm
8+from openerp.tools.translate import _
9 import tools
10
11 class ir_attachment(osv.osv):
12@@ -34,12 +35,14 @@
13 if not ids:
14 return
15 res_ids = {}
16+ require_employee = False
17 if ids:
18 if isinstance(ids, (int, long)):
19 ids = [ids]
20 cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,))
21 for rmod, rid in cr.fetchall():
22 if not (rmod and rid):
23+ require_employee = True
24 continue
25 res_ids.setdefault(rmod,set()).add(rid)
26 if values:
27@@ -50,9 +53,17 @@
28 for model, mids in res_ids.items():
29 # ignore attachments that are not attached to a resource anymore when checking access rights
30 # (resource was deleted but attachment was not)
31- mids = self.pool.get(model).exists(cr, uid, mids)
32+ if not self.pool.get(model):
33+ require_employee = True
34+ continue
35+ existing_ids = self.pool.get(model).exists(cr, uid, mids)
36+ if len(existing_ids) != len(mids):
37+ require_employee = True
38 ima.check(cr, uid, model, mode)
39- self.pool.get(model).check_access_rule(cr, uid, mids, mode, context=context)
40+ self.pool.get(model).check_access_rule(cr, uid, existing_ids, mode, context=context)
41+ if require_employee:
42+ if not self.pool['ir.model.access'].check_groups(cr, uid, 'base.group_user'):
43+ raise except_orm(_('Access Denied'), _("Sorry, you are not allowed to access this document."))
44
45 def _search(self, cr, uid, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
46 ids = super(ir_attachment, self)._search(cr, uid, args, offset=offset,
47@@ -87,6 +98,8 @@
48 # performed in batch as much as possible.
49 ima = self.pool.get('ir.model.access')
50 for model, targets in model_attachments.iteritems():
51+ if not self.pool.get(model):
52+ continue
53 if not ima.check(cr, uid, model, 'read', False):
54 # remove all corresponding attachment ids
55 for attach_id in itertools.chain(*targets.values()):

Subscribers

People subscribed via source and target branches

to status/vote changes: