[FIX] ir_attachment: restrict access to orphan attachments to employees
authorDenis Ledoux <dle@odoo.com>
Thu, 2 Oct 2014 13:17:48 +0000 (15:17 +0200)
committerDenis Ledoux <dle@odoo.com>
Thu, 2 Oct 2014 13:17:48 +0000 (15:17 +0200)
openerp/addons/base/ir/ir_attachment.py

index 19c6663..996b0f6 100644 (file)
@@ -28,6 +28,8 @@ import re
 from openerp import tools
 from openerp.osv import fields,osv
 from openerp import SUPERUSER_ID
+from openerp.osv.orm import except_orm
+from openerp.tools.translate import _
 
 _logger = logging.getLogger(__name__)
 
@@ -189,12 +191,14 @@ class ir_attachment(osv.osv):
         more complex ones apply there.
         """
         res_ids = {}
+        require_employee = False
         if ids:
             if isinstance(ids, (int, long)):
                 ids = [ids]
             cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,))
             for rmod, rid in cr.fetchall():
                 if not (rmod and rid):
+                    require_employee = True
                     continue
                 res_ids.setdefault(rmod,set()).add(rid)
         if values:
@@ -206,10 +210,16 @@ class ir_attachment(osv.osv):
             # ignore attachments that are not attached to a resource anymore when checking access rights
             # (resource was deleted but attachment was not)
             if not self.pool.get(model):
+                require_employee = True
                 continue
-            mids = self.pool.get(model).exists(cr, uid, mids)
+            existing_ids = self.pool.get(model).exists(cr, uid, mids)
+            if len(existing_ids) != len(mids):
+                require_employee = True
             ima.check(cr, uid, model, mode)
-            self.pool.get(model).check_access_rule(cr, uid, mids, mode, context=context)
+            self.pool.get(model).check_access_rule(cr, uid, existing_ids, mode, context=context)
+        if require_employee:
+            if not self.pool['res.users'].has_group(cr, uid, 'base.group_user'):
+                raise except_orm(_('Access Denied'), _("Sorry, you are not allowed to access this document."))
 
     def _search(self, cr, uid, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
         ids = super(ir_attachment, self)._search(cr, uid, args, offset=offset,