Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FW][FIX] website_slides: user can not access his own attachment in the PortalComposer #159303

Closed
wants to merge 1 commit into from
Closed

[FW][FIX] website_slides: user can not access his own attachment in the PortalComposer #159303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 3 additions & 5 deletions addons/portal/controllers/portal.py
View file
Open in desktop
Expand Up @@ -330,13 +330,11 @@ def attachment_add(self, name, file, res_model, res_id, access_token=None, **kwa
raise UserError(_("The document does not exist or you do not have the rights to access it."))

IrAttachment = request.env['ir.attachment']
access_token = False

# Avoid using sudo or creating access_token when not necessary: internal
# users can create attachments, as opposed to public and portal users.
# Avoid using sudo when not necessary: internal users can create attachments,
# as opposed to public and portal users.
if not request.env.user._is_internal():
IrAttachment = IrAttachment.sudo()
access_token = IrAttachment._generate_access_token()

# At this point the related message does not exist yet, so we assign
# those specific res_model and res_is. They will be correctly set
Expand All @@ -347,7 +345,7 @@ def attachment_add(self, name, file, res_model, res_id, access_token=None, **kwa
'datas': base64.b64encode(file.read()),
'res_model': 'mail.compose.message',
'res_id': 0,
'access_token': access_token,
'access_token': IrAttachment._generate_access_token(),
})
return request.make_response(
data=json.dumps(attachment.read(['id', 'name', 'mimetype', 'file_size', 'access_token'])[0]),
Expand Down
17 changes: 16 additions & 1 deletion addons/website_slides/tests/test_ui_wslides.py
View file
Open in desktop
Expand Up @@ -4,7 +4,7 @@

from dateutil.relativedelta import relativedelta

from odoo import tests
from odoo import http, tests
from odoo.addons.base.tests.common import HttpCaseWithUserPortal
from odoo.addons.gamification.tests.common import HttpCaseGamification
from odoo.fields import Command, Datetime
Expand Down Expand Up @@ -269,3 +269,18 @@ def test_course_publisher_elearning_manager(self):
})

self.start_tour(self.env['website'].get_client_action_url('/slides'), 'course_publisher', login=user_demo.login)


@tests.common.tagged('external', 'post_install', '-standard', '-at_install')
class TestPortalComposer(TestUICommon):
def test_portal_composer_attachment(self):
"""Check that the access token is returned when we upload an attachment."""
self.authenticate('demo', 'demo')
response = self.url_open('/portal/attachment/add', data={
'name': 'image.png',
'res_id': self.channel.id,
'res_model': 'slide.channel',
'csrf_token': http.WebRequest.csrf_token(self),
}, files={'file': ('image.png', '', 'image/png')})
self.assertTrue(response.ok)
self.assertTrue(response.json().get('access_token'))