The domains in the form ('o2m_field', operator, False) do not use the orm but convert the domain to ('id', 'invert operator', [list of ids]). This means that the orm is not used and implicit filter (active=True) or access rights are not checked.
A proper fix in master should be done to use the orm instead of an SQL query.
This patch force a search to be made on product.product and then exclude the products where active=False (opw 607602).
return super(Website, self).preprocess_request(cr, uid, ids, request, context=None)
def ecommerce_get_product_domain(self):
- return [("sale_ok", "=", True),("product_variant_ids","!=",False)]
+ return [
+ ("sale_ok", "=", True),
+ # force search on product.product to use the orm (exclude active, acl,..)
+ ("product_variant_ids.id", "!=", False),
+ ]