[FIX] website_sale: avoid displaying inactive products in shops

The domains in the form ('o2m_field', operator, False) do not use the orm but convert the domain to ('id', 'invert operator', [list of ids]). This means that the orm is not used and implicit filter (active=True) or access rights are not checked.
A proper fix in master should be done to use the orm instead of an SQL query.
This patch force a search to be made on product.product and then exclude the products where active=False (opw 607602).

diff --git a/addons/website_sale/models/website.py b/addons/website_sale/models/website.py
index b471935..d969d2a 100644 (file)
--- a/addons/website_sale/models/website.py
+++ b/addons/website_sale/models/website.py
@@ -219,4 +219,8 @@ class Website(orm.Model):
         return super(Website, self).preprocess_request(cr, uid, ids, request, context=None)
 
     def ecommerce_get_product_domain(self):
-        return [("sale_ok", "=", True),("product_variant_ids","!=",False)]
+        return [
+            ("sale_ok", "=", True),
+            # force search on product.product to use the orm (exclude active, acl,..)
+            ("product_variant_ids.id", "!=", False),
+        ]