[FIX] portal: posting message without token

This commit e847797 factorize the check of special access to post a message using a token mecanism, but it breaks the case without token. Indeed, on some models, it is allow to post a message on a document when having a certain access. This is handle with the `_mail_post_access` attribute on model inheriting mail.thread. Using this mecanism, a user that can read (or write) the document can also post a message. This is used in the eShop to review product and in blog to comment blogpost. This commit restore posting a message without token. the normal access rights will be applied by message post and raise if the user can not post message, taking `_mail_post_access` into account. The balance is now restored in the universe. Task-1902304
odoo · Feb 15, 2019 · 3d60788 · 3d60788
1 parent 400f769
commit 3d60788
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/addons/portal/controllers/mail.py b/addons/portal/controllers/mail.py
@@ -52,12 +52,14 @@ def _message_post_helper(res_model, res_id, message, token='', nosubscribe=True,
     """
     record = request.env[res_model].browse(res_id)
 
-    # check if user can post
-    pid = int(kw['pid']) if kw.get('pid') else False
-    if _check_special_access(res_model, res_id, token=token, _hash=kw.get('hash'), pid=pid):
-        record = record.sudo()
-    else:
-        raise Forbidden()
+    # check if user can post with special token/signed token. The "else" will try to post message with the
+    # current user access rights (_mail_post_access use case).
+    if token or (kw.get('hash') and kw.get('pid')):
+        pid = int(kw['pid']) if kw.get('pid') else False
+        if _check_special_access(res_model, res_id, token=token, _hash=kw.get('hash'), pid=pid):
+            record = record.sudo()
+        else:
+            raise Forbidden()
 
     # deduce author of message
     author_id = request.env.user.partner_id.id if request.env.user.partner_id else False