Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIX] mail: access error for the id of another company #28692

Closed
wants to merge 1 commit into from
Closed

[FIX] mail: access error for the id of another company #28692

wants to merge 1 commit into from

Conversation

Julien00859
Copy link
Member

When creating a mail for a user in an other company then the
record, the "send" button fails with a traceback because on
specific template try to access the company.id of the user
which is not accessible due to the access controle.

This PR fixes the problem by sudoing the access to the company id
in the template. The mail now sends without problem.

Step to reproduce:

  1. Use two company (comp1 and comp2), I used YourCompany and created
    another.
  2. Use 3 users (user1, user2, user3), I used "Mitchel Admin", "Demo
    user" and created the third one.
  3. Change the users to set both company as allowed.
  4. Set the current company of the users as follow:
    user1: comp1
    user2: comp2
    user2: comp2
  5. Install the project module
  6. In settings > security > record rules, delete the records named
    • Project: multiple-company
    • Project/Task: multiple-company
      so each user can access tasks created in other companies.
  7. Using user1, create a new project and a new task.
  8. Using user2, go to the created task and add user3 as follower.
  9. Send the mail => traceback.

opw-1907844

I confirm I have signed the CLA and read the PR guidelines at www.odoo.com/submit-pr

@Julien00859
[FIX] mail: access error for the id of another company
e209400 
When creating a mail for a user in an other company then the
record, the "send" button fails with a traceback because on
specific template try to access the company.id of the user
which is not accessible due to the access controle.

This PR fixes the problem by sudoing the access to the company id
in the template. The mail now sends without problem.

Step to reproduce:

1) Use two company (comp1 and comp2), I used YourCompany and created
   another.
2) Use 3 users (user1, user2, user3), I used "Mitchel Admin", "Demo
   user" and created the third one.
3) Change the users to set both company as allowed.
4) Set the current company of the users as follow:
   user1: comp1
   user2: comp2
   user2: comp2
5) Install the project module
6) In settings > security > record rules, delete the records named
   - `Project: multiple-company`
   - `Project/Task: multiple-company`
   so each user can access tasks created in other companies.
7) Using user1, create a new project and a new task.
8) Using user2, go to the created task and add user3 as follower.
9) Send the mail => traceback.

opw-1907844
@robodoo robodoo added the CI 🤖 Robodoo has seen passing statuses label Nov 14, 2018
@Yenthe666
Copy link
Collaborator

@Julien00859 won't this cause issues? The e-mail template is in a no-update tag so existing instances wouldn't be updating the XML record, while the source terms could be updated causing an inconsistency. I might be wrong though, just wanted to mention it.

@C3POdoo C3POdoo added the OE the report is linked to a support ticket (opw-...) label Nov 14, 2018
@Julien00859
Copy link
Member Author

@Yenthe666 I might be wrong but are you sure it is in a no-update data tag ? If I'm not wrong the related xml data tag is the one L40

@Julien00859
Copy link
Member Author

@nim-odoo I reproduced the bug on v11 too but the company.id is in a <field name="body_html"> so I would need to update the i18n too, @mart-e told me no change of translation for v11.

odoo/addons/mail/data/mail_data.xml

Line 114 in c70bdd0

<img src="/logo.png?company=${company.id}" style="padding: 0px; margin: 0px; height: auto; max-width: 80px; max-height: 40px;" alt="${company.name}">

@Yenthe666
Copy link
Collaborator

Sorry you're right, I missed the second tag which does update. Sorry!

nim-odoo
nim-odoo reviewed Nov 15, 2018
View reviewed changes
Copy link
Contributor

@nim-odoo nim-odoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No error on company.name?

@Julien00859
Copy link
Member Author

Damn sorry nim, yersterday the fix was doing just fine, today I have plenty bugs more, including company.name

@Julien00859 Julien00859 mentioned this pull request Nov 15, 2018
Closed
@Julien00859 Julien00859 deleted the 12.0-opw-1907844-follower_in_another_company-juc branch March 25, 2019 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nim-odoo nim-odoo nim-odoo left review comments

Assignees
No one assigned
Labels
CI 🤖 Robodoo has seen passing statuses OE the report is linked to a support ticket (opw-...)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Julien00859 @Yenthe666 @nim-odoo @C3POdoo @robodoo