[FIX] payment: access rights limitation

author Martin Trigaux <mat@openerp.com>

Tue, 16 Sep 2014 13:27:56 +0000 (15:27 +0200)

committer Martin Trigaux <mat@openerp.com>

Tue, 16 Sep 2014 14:44:42 +0000 (16:44 +0200)
author Martin Trigaux <mat@openerp.com>
Tue, 16 Sep 2014 13:27:56 +0000 (15:27 +0200)
committer Martin Trigaux <mat@openerp.com>
Tue, 16 Sep 2014 14:44:42 +0000 (16:44 +0200)
diff --git a/addons/payment/__openerp__.py b/addons/payment/__openerp__.py

index c192bec..a3843a8 100644 (file)
--- a/addons/payment/__openerp__.py
+++ b/addons/payment/__openerp__.py
@@ -12,6 +12,7 @@
          'views/payment_acquirer.xml',
          'views/res_config_view.xml',
          'security/ir.model.access.csv',
+        'security/payment_security.xml',
      ],
      'installable': True,
      'auto_install': True,
diff --git a/addons/payment/security/ir.model.access.csv b/addons/payment/security/ir.model.access.csv

index 18f9893..f52f9a4 100644 (file)
--- a/addons/payment/security/ir.model.access.csv
+++ b/addons/payment/security/ir.model.access.csv
@@ -2,6 +2,6 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
  payment_acquirer_all,payment.acquirer.all,model_payment_acquirer,,1,0,0,0
  payment_acquirer_user,payment.acquirer.user,model_payment_acquirer,base.group_user,1,1,1,0
  payment_acquirer_system,payment.acquirer.system,model_payment_acquirer,base.group_system,1,1,1,1
-payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,1,1,0
+payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,0,0,0
  payment_transaction_user,payment.transaction.user,model_payment_transaction,base.group_user,1,1,1,0
  payment_transaction_system,payment.transaction.system,model_payment_transaction,base.group_system,1,1,1,1
\ No newline at end of file
diff --git a/addons/payment/security/payment_security.xml b/addons/payment/security/payment_security.xml

new file mode 100644 (file)

index 0000000..8fb4def
--- /dev/null
+++ b/addons/payment/security/payment_security.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<openerp>
+    <data noupdate="1">
+
+        <record id="payment_transaction_user_rule" model="ir.rule">
+            <field name="name">Access own payment transaction only</field>
+            <field name="model_id" ref="payment.model_payment_transaction"/>
+            <field name="domain_force">[
+                '|',
+                    ('partner_id','=',False),
+                    ('partner_id','=',user.partner_id.id)
+                ]</field>
+            <field name="groups" eval="[(4, ref('base.group_user')), (4, ref('base.group_portal'))]"/>
+        </record>
+
+        <record id="payment_transaction_salesman_rule" model="ir.rule">
+            <field name="name">Access every payment transaction</field>
+            <field name="model_id" ref="payment.model_payment_transaction"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="groups" eval="[(4, ref('base.group_sale_salesman'))]"/>
+        </record>
+
+    </data>
+</openerp>
diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py

index a17f6ac..bade234 100644 (file)
--- a/addons/payment_paypal/models/paypal.py
+++ b/addons/payment_paypal/models/paypal.py
@@ -14,6 +14,7 @@ from openerp.addons.payment.models.payment_acquirer import ValidationError
  from openerp.addons.payment_paypal.controllers.main import PaypalController
  from openerp.osv import osv, fields
  from openerp.tools.float_utils import float_compare
+from openerp import SUPERUSER_ID
  
  _logger = logging.getLogger(__name__)
  
@@ -99,7 +100,7 @@ class AcquirerPaypal(osv.Model):
          return fees
  
      def paypal_form_generate_values(self, cr, uid, id, partner_values, tx_values, context=None):
-        base_url = self.pool['ir.config_parameter'].get_param(cr, uid, 'web.base.url')
+        base_url = self.pool['ir.config_parameter'].get_param(cr, SUPERUSER_ID, 'web.base.url')
          acquirer = self.browse(cr, uid, id, context=context)
  
          paypal_tx_values = dict(tx_values)
diff --git a/addons/website_payment/__openerp__.py b/addons/website_payment/__openerp__.py

index c745f64..4c13b56 100644 (file)
--- a/addons/website_payment/__openerp__.py
+++ b/addons/website_payment/__openerp__.py
@@ -12,6 +12,7 @@
          'payment',
      ],
      'data': [
+        'payment_security.xml',
          'views/website_payment_templates.xml',
          'views/website_settings_payment.xml',
      ],
diff --git a/addons/website_payment/payment_security.xml b/addons/website_payment/payment_security.xml

new file mode 100644 (file)

index 0000000..d8aafa1
--- /dev/null
+++ b/addons/website_payment/payment_security.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<openerp>
+    <data noupdate="1">
+
+        <record id="payment.payment_transaction_user_rule" model="ir.rule">
+            <field name="groups" eval="[(4, ref('base.group_public'))]"/>
+        </record>
+
+    </data>
+</openerp>
author	Martin Trigaux <mat@openerp.com>
	Tue, 16 Sep 2014 13:27:56 +0000 (15:27 +0200)
committer	Martin Trigaux <mat@openerp.com>
	Tue, 16 Sep 2014 14:44:42 +0000 (16:44 +0200)
addons/payment/__openerp__.py		patch \| blob \| history
addons/payment/security/ir.model.access.csv		patch \| blob \| history
addons/payment/security/payment_security.xml	[new file with mode: 0644]	patch \| blob
addons/payment_paypal/models/paypal.py		patch \| blob \| history
addons/website_payment/__openerp__.py		patch \| blob \| history
addons/website_payment/payment_security.xml	[new file with mode: 0644]	patch \| blob