From: Martin Trigaux <mat@openerp.com>
Date: Wed, 30 Oct 2013 08:44:08 +0000 (+0100)
Subject: [FIX] ir_attachment: fix security issues on ir_attachment
X-Git-Tag: InsPy_master01~464^2~312
X-Git-Url: http://git.inspyration.org/?a=commitdiff_plain;h=e2d6786bc151cf53c06147ea958c22065e87b568;p=odoo%2Fodoo.git

[FIX] ir_attachment: fix security issues on ir_attachment
check: verify the permissions even when no ids are passed (skipped permission checking for create)
create: verify has the write access on the related model (instead of create, was not checked anyway)
function field: execute the write in fnct_inv as superuser (was impossible to have creation without write access)

bzr revid: mat@openerp.com-20131030084408-t857gl7d4lkbrj5p
---

e2d6786bc151cf53c06147ea958c22065e87b568
diff --cc openerp/addons/base/ir/ir_attachment.py
index 857ebc7,a286670..6cfcd7c
--- a/openerp/addons/base/ir/ir_attachment.py
+++ b/openerp/addons/base/ir/ir_attachment.py
@@@ -142,9 -143,9 +143,10 @@@ class ir_attachment(osv.osv)
              if attach.store_fname:
                  self._file_delete(cr, uid, location, attach.store_fname)
              fname = self._file_write(cr, uid, location, value)
-             super(ir_attachment, self).write(cr, uid, [id], {'store_fname': fname, 'file_size': file_size}, context=context)
++            # SUPERUSER_ID as probably don't have write access, trigger during create
+             super(ir_attachment, self).write(cr, SUPERUSER_ID, [id], {'store_fname': fname, 'file_size': file_size}, context=context)
          else:
-             super(ir_attachment, self).write(cr, uid, [id], {'db_datas': value, 'file_size': file_size}, context=context)
+             super(ir_attachment, self).write(cr, SUPERUSER_ID, [id], {'db_datas': value, 'file_size': file_size}, context=context)
          return True
  
      _name = 'ir.attachment'