Skip to content
Permalink
Browse files

[FIX] models: check groups on inverse fields

Before this, groups on non-stored inverse fields were not checked upon write.
The impact on existing fields is pretty small, since the inverse methods of
those fields are subject to access rights on the records they use.

closes #30357
  • Loading branch information...
rco-odoo committed Jan 18, 2019
1 parent cbdc8d8 commit 716a272480e649db721c081605368e1bccf8dc91
Showing with 34 additions and 0 deletions.
  1. +29 −0 odoo/addons/test_new_api/tests/test_new_fields.py
  2. +5 −0 odoo/models.py
@@ -364,6 +364,16 @@ def test_13_inverse(self):
self.assertEqual(record.bar3, 'C')
self.assertCountEqual(log, ['compute'])

def test_13_inverse_access(self):
""" test access rights on inverse fields """
foo = self.env['test_new_api.category'].create({'name': 'Foo'})
user = self.env['res.users'].create({'name': 'Foo', 'login': 'foo'})
self.assertFalse(user.has_group('base.group_system'))
# add group on non-stored inverse field
self.patch(type(foo).display_name, 'groups', 'base.group_system')
with self.assertRaises(AccessError):
foo.sudo(user).display_name = 'Forbidden'

def test_14_search(self):
""" test search on computed fields """
discussion = self.env.ref('test_new_api.discussion_0')
@@ -752,6 +762,25 @@ def test_27_company_dependent(self):
self.assertEqual(attribute_record.bar, 'DEFDEF')
self.assertFalse(self.env.has_todo())

# add group on company-dependent field
self.assertFalse(user0.has_group('base.group_system'))
self.patch(type(record).foo, 'groups', 'base.group_system')
with self.assertRaises(AccessError):
record.sudo(user0).foo = 'forbidden'

user0.write({'groups_id': [(4, self.env.ref('base.group_system').id)]})
record.sudo(user0).foo = 'yes we can'

# add ir.rule to prevent access on record
self.assertTrue(user0.has_group('base.group_user'))
rule = self.env['ir.rule'].create({
'model_id': self.env['ir.model']._get_id(record._name),
'groups': [self.env.ref('base.group_user').id],
'domain_force': str([('id', '!=', record.id)]),
})
with self.assertRaises(AccessError):
record.sudo(user0).foo = 'forbidden'

def test_30_read(self):
""" test computed fields as returned by read(). """
discussion = self.env.ref('test_new_api.discussion_0')
@@ -3114,6 +3114,9 @@ def write(self, vals):
with self.env.protecting(protected_fields, self):
# write stored fields with (low-level) method _write
if store_vals or inverse_vals or inherited_vals:
# if log_access is enabled, this updates 'write_date' and
# 'write_uid' and check access rules, even when old_vals is
# empty
self._write(store_vals)

# update parent records (after possibly updating parent fields)
@@ -3130,6 +3133,8 @@ def write(self, vals):
self.env[model_name].browse(parent_ids).write(parent_vals)

if inverse_vals:
self.check_field_access_rights('write', list(inverse_vals))

self.modified(set(inverse_vals) - set(store_vals))

# in case several fields use the same inverse method, call it once

0 comments on commit 716a272

Please sign in to comment.
You can’t perform that action at this time.