[FIX] fields: *2many related fields should not be read as superuser

one2many and many2many fields depends on the security rules.
For instance, on products, with the taxes_id many2many fields, you only see the taxes of your own company, thanks to the multi company security rule
With related *2many fields, if you browse it with superuser, you will have all records of the one2many fields, even those you are not allowed to see, as superuser ignores security rules.

For instance, taxes_id of product.product is a related of taxes_id of product_template (through the inherits on product.template), and you should see the same taxes on the product template and on the product product (variant). This is not the case if the fields is read using the superuser

diff --git a/openerp/fields.py b/openerp/fields.py
index 35f7e74..c2f9d93 100644 (file)
--- a/openerp/fields.py
+++ b/openerp/fields.py
@@ -1484,6 +1484,15 @@ class _RelationalMulti(_Relational):
     def convert_to_display_name(self, value):
         raise NotImplementedError()
 
+    def _compute_related(self, records):
+        """ Compute the related field `self` on `records`. """
+        for record in records:
+            value = record
+            # traverse the intermediate fields, and keep at most one record
+            for name in self.related[:-1]:
+                value = value[name][:1]
+            record[self.name] = value[self.related[-1]]
+
 
 class One2many(_RelationalMulti):
     """ One2many field; the value of such a field is the recordset of all the