[FIX] ir_attachment: fix security issues on ir_attachment

check: verify the permissions even when no ids are passed (skipped permission checking for create)
create: verify has the write access on the related model (instead of create, was not checked anyway)
function field: execute the write in fnct_inv as superuser (was impossible to have creation without write access)

bzr revid: mat@openerp.com-20131030084408-t857gl7d4lkbrj5p

diff --cc openerp/addons/base/ir/ir_attachment.py
index 857ebc7,a286670..6cfcd7c
--- 1/openerp/addons/base/ir/ir_attachment.py
--- 2/openerp/addons/base/ir/ir_attachment.py
+++ b/openerp/addons/base/ir/ir_attachment.py
@@@ -142,9 -143,9 +143,10 @@@ class ir_attachment(osv.osv)
              if attach.store_fname:
                  self._file_delete(cr, uid, location, attach.store_fname)
              fname = self._file_write(cr, uid, location, value)
-             super(ir_attachment, self).write(cr, uid, [id], {'store_fname': fname, 'file_size': file_size}, context=context)
++            # SUPERUSER_ID as probably don't have write access, trigger during create
+             super(ir_attachment, self).write(cr, SUPERUSER_ID, [id], {'store_fname': fname, 'file_size': file_size}, context=context)
          else:
-             super(ir_attachment, self).write(cr, uid, [id], {'db_datas': value, 'file_size': file_size}, context=context)
+             super(ir_attachment, self).write(cr, SUPERUSER_ID, [id], {'db_datas': value, 'file_size': file_size}, context=context)
          return True
  
      _name = 'ir.attachment'