[FIX] ir_attachment: fix security issues on ir_attachment

check: verify the permissions even when no ids are passed (skipped permission checking for create)
create: verify has the write access on the related model (instead of create, was not checked anyway)
function field: execute the write in fnct_inv as superuser (was impossible to have creation without write access)

bzr revid: mat@openerp.com-20131029171420-x87wu7ph8ej7mtro

diff --git a/openerp/addons/base/ir/ir_attachment.py b/openerp/addons/base/ir/ir_attachment.py
index 857ebc7..a286670 100644 (file)
--- a/openerp/addons/base/ir/ir_attachment.py
+++ b/openerp/addons/base/ir/ir_attachment.py
@@ -27,6 +27,7 @@ import re
 
 from openerp import tools
 from openerp.osv import fields,osv
 
 from openerp import tools
 from openerp.osv import fields,osv

+from openerp import SUPERUSER_ID

 
 _logger = logging.getLogger(__name__)
 
 
 _logger = logging.getLogger(__name__)
 

@@ -142,9 +143,9 @@ class ir_attachment(osv.osv):
             if attach.store_fname:
                 self._file_delete(cr, uid, location, attach.store_fname)
             fname = self._file_write(cr, uid, location, value)
             if attach.store_fname:
                 self._file_delete(cr, uid, location, attach.store_fname)
             fname = self._file_write(cr, uid, location, value)

-            super(ir_attachment, self).write(cr, uid, [id], {'store_fname': fname, 'file_size': file_size}, context=context)
+            super(ir_attachment, self).write(cr, SUPERUSER_ID, [id], {'store_fname': fname, 'file_size': file_size}, context=context)

         else:
         else:

-            super(ir_attachment, self).write(cr, uid, [id], {'db_datas': value, 'file_size': file_size}, context=context)
+            super(ir_attachment, self).write(cr, SUPERUSER_ID, [id], {'db_datas': value, 'file_size': file_size}, context=context)

         return True
 
     _name = 'ir.attachment'
         return True
 
     _name = 'ir.attachment'

@@ -186,8 +187,6 @@ class ir_attachment(osv.osv):
         In the 'document' module, it is overriden to relax this hard rule, since
         more complex ones apply there.
         """
         In the 'document' module, it is overriden to relax this hard rule, since
         more complex ones apply there.
         """

-        if not ids:
-            return

         res_ids = {}
         if ids:
             if isinstance(ids, (int, long)):
         res_ids = {}
         if ids:
             if isinstance(ids, (int, long)):

@@ -290,7 +289,7 @@ class ir_attachment(osv.osv):
         return super(ir_attachment, self).unlink(cr, uid, ids, context)
 
     def create(self, cr, uid, values, context=None):
         return super(ir_attachment, self).unlink(cr, uid, ids, context)
 
     def create(self, cr, uid, values, context=None):

-        self.check(cr, uid, [], mode='create', context=context, values=values)
+        self.check(cr, uid, [], mode='write', context=context, values=values)

         if 'file_size' in values:
             del values['file_size']
         return super(ir_attachment, self).create(cr, uid, values, context)
         if 'file_size' in values:
             del values['file_size']
         return super(ir_attachment, self).create(cr, uid, values, context)