From 2ee1843757e87a75a36dce29eb47f784a4725c34 Mon Sep 17 00:00:00 2001
From: Martin Trigaux <mat@openerp.com>
Date: Wed, 17 Sep 2014 12:28:21 +0200
Subject: [PATCH] [FIX] website_sale: retrieve transactions as superuser

Due to additional security rules, the transactions made as public user will have a new partner_id. The transaction needs to be retrieved as admin to be set in the context.
The operations in payment_get_status are made as superuser but the session_id is checked in the assert above to avoid url manipulation.
---
 addons/website_sale/controllers/main.py |    4 ++--
 addons/website_sale/models/website.py   |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/addons/website_sale/controllers/main.py b/addons/website_sale/controllers/main.py
index 083f965..0e19324 100644
--- a/addons/website_sale/controllers/main.py
+++ b/addons/website_sale/controllers/main.py
@@ -690,7 +690,7 @@ class Ecommerce(http.Controller):
             }
 
         tx_ids = request.registry['payment.transaction'].search(
-            cr, uid, [
+            cr, SUPERUSER_ID, [
                 '|', ('sale_order_id', '=', order.id), ('reference', '=', order.name)
             ], context=context)
 
@@ -705,7 +705,7 @@ class Ecommerce(http.Controller):
                 message = ""
                 validation = None
         else:
-            tx = request.registry['payment.transaction'].browse(cr, uid, tx_ids[0], context=context)
+            tx = request.registry['payment.transaction'].browse(cr, SUPERUSER_ID, tx_ids[0], context=context)
             state = tx.state
             if state == 'done':
                 message = '<p>%s</p>' % _('Your payment has been received.')
diff --git a/addons/website_sale/models/website.py b/addons/website_sale/models/website.py
index d969d2a..2c5de4f 100644
--- a/addons/website_sale/models/website.py
+++ b/addons/website_sale/models/website.py
@@ -214,7 +214,7 @@ class Website(orm.Model):
     def preprocess_request(self, cr, uid, ids, request, context=None):
         request.context.update({
             'website_sale_order': self.ecommerce_get_current_order(cr, uid, context=context),
-            'website_sale_transaction': self.ecommerce_get_current_transaction(cr, uid, context=context)
+            'website_sale_transaction': self.ecommerce_get_current_transaction(cr, SUPERUSER_ID, context=context)
         })
         return super(Website, self).preprocess_request(cr, uid, ids, request, context=None)
 
-- 
1.7.10.4