Skip to content
Permalink
Browse files

[WIP] improve the code for download attachment through token

  • Loading branch information...
mba-odoo committed Mar 18, 2019
1 parent 90d659d commit dd2dd9531cb0eab3c79d0bd82a6ffcaaceb99038
Showing with 29 additions and 16 deletions.
  1. +27 −14 addons/portal/controllers/mail.py
  2. +2 −2 addons/portal/static/src/xml/portal_chatter.xml
@@ -232,24 +232,37 @@ def avatar(self, res_model, partner_id, field_name, width=50, height=50):
return response

@http.route('/portal/content/<int:attachment_id>', type='http', auth="public")
def download_attachment(self, attachment_id, download=None, **kw):
access_token = kw.get('access_token')
res_model = kw.get('res_model')
res_id = int(kw.get('res_id', 0))
authorized_user = False
def download_attachment(self, attachment_id, model, id, access_token=False, field="datas", filename_field='name', download=None, **kw):

try:
document = request.env[model].browse(int(id))
document_sudo = document.sudo().exists()
if not document_sudo:
raise MissingError("This document does not exist.")
try:
document.check_access_rights('read')
document.check_access_rule('read')
except AccessError:
if not access_token or not _check_special_access(model, int(id), token=access_token):
raise Forbidden()
except (AccessError, MissingError):
raise Forbidden()

if not access_token:
authorized_user = request.env[res_model].browse(res_id).check_access_rights('write')
record = document_sudo.website_message_ids.mapped('attachment_ids').filtered(lambda x: x.id == int(attachment_id))
status, content, filename, mimetype, filehash = request.env['ir.http']._binary_record_content(
record, field=field, filename=None, filename_field=filename_field,
default_mimetype='application/octet-stream')
status, headers, content = request.env['ir.http']._binary_set_headers(
status, content, filename, mimetype, unique=False, filehash=filehash, download=download)

if access_token or authorized_user:
status, headers, content = request.env['ir.http'].binary_content(id=attachment_id, download=download, access_token=access_token, parent_model=res_model, parent_id=res_id)
if status == 304:
return werkzeug.wrappers.Response(status=304)
if status != 200:
return request.env['ir.http']._response_by_status(status, headers, content)
else:
content_base64 = base64.b64decode(content)
headers.append(('Content-Length', len(content_base64)))
return request.make_response(content_base64, headers)
else:
raise Forbidden()
response = request.make_response(content_base64, headers)

return response


class MailController(MailController):
@@ -117,10 +117,10 @@
<t t-foreach='message.attachment_ids' t-as='attachment'>
<t t-call="mail.Attachment">
<t t-if="widget.options['token']">
<t t-set="attachment.url" t-value="'/portal/content/'+ attachment.id + '?access_token='+ widget.options['token'] + '&amp;res_model='+ widget.options['res_model'] + '&amp;res_id='+ widget.options['res_id'] + '&amp;download=true'"/>
<t t-set="attachment.url" t-value="'/portal/content/'+ attachment.id + '?access_token='+ widget.options['token'] + '&amp;model='+ widget.options['res_model'] + '&amp;id='+ widget.options['res_id'] + '&amp;download=true'"/>
</t>
<t t-else="">
<t t-set="attachment.url" t-value="'/portal/content/'+ attachment.id + '?res_model='+ widget.options['res_model'] + '&amp;res_id='+ widget.options['res_id'] + '&amp;download=true'"/>
<t t-set="attachment.url" t-value="'/portal/content/'+ attachment.id + '?model='+ widget.options['res_model'] + '&amp;id='+ widget.options['res_id'] + '&amp;download=true'"/>
</t>
<t t-set="disable_preview" t-value="true"/>
<t t-set="disable_delete" t-value="true"/>

0 comments on commit dd2dd95

Please sign in to comment.
You can’t perform that action at this time.