projects / odoo / odoo.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 28a27a9)
[FIX] website_sale: retrieve transactions as superuser
authorMartin Trigaux <mat@openerp.com>
Wed, 17 Sep 2014 10:28:21 +0000 (12:28 +0200)
committerMartin Trigaux <mat@openerp.com>
Wed, 17 Sep 2014 10:52:28 +0000 (12:52 +0200)
Due to additional security rules, the transactions made as public user will have a new partner_id. The transaction needs to be retrieved as admin to be set in the context.
The operations in payment_get_status are made as superuser but the session_id is checked in the assert above to avoid url manipulation.

addons/website_sale/controllers/main.py patch | blob | history
addons/website_sale/models/website.py patch | blob | history

diff --git a/addons/website_sale/controllers/main.py b/addons/website_sale/controllers/main.py
index 083f965..0e19324 100644 (file)
--- a/addons/website_sale/controllers/main.py
+++ b/addons/website_sale/controllers/main.py
@@ -690,7 +690,7 @@ class Ecommerce(http.Controller):
             }
 
         tx_ids = request.registry['payment.transaction'].search(
-            cr, uid, [
+            cr, SUPERUSER_ID, [
                 '|', ('sale_order_id', '=', order.id), ('reference', '=', order.name)
             ], context=context)
 
@@ -705,7 +705,7 @@ class Ecommerce(http.Controller):
                 message = ""
                 validation = None
         else:
-            tx = request.registry['payment.transaction'].browse(cr, uid, tx_ids[0], context=context)
+            tx = request.registry['payment.transaction'].browse(cr, SUPERUSER_ID, tx_ids[0], context=context)
             state = tx.state
             if state == 'done':
                 message = '<p>%s</p>' % _('Your payment has been received.')
diff --git a/addons/website_sale/models/website.py b/addons/website_sale/models/website.py
index d969d2a..2c5de4f 100644 (file)
--- a/addons/website_sale/models/website.py
+++ b/addons/website_sale/models/website.py
@@ -214,7 +214,7 @@ class Website(orm.Model):
     def preprocess_request(self, cr, uid, ids, request, context=None):
         request.context.update({
             'website_sale_order': self.ecommerce_get_current_order(cr, uid, context=context),
-            'website_sale_transaction': self.ecommerce_get_current_transaction(cr, uid, context=context)
+            'website_sale_transaction': self.ecommerce_get_current_transaction(cr, SUPERUSER_ID, context=context)
         })
         return super(Website, self).preprocess_request(cr, uid, ids, request, context=None)
 
Unnamed repository; edit this file 'description' to name the repository.