mirror of
https://github.com/NaN-tic/trytond-patches.git
synced 2023-12-14 06:03:03 +01:00
fields check that the user has access rights to all models the field can point to. ir.attachment's resource field, for example, can refer to any model in Tryton but babi's models may not be registered so we prevent checking permissions on babi_execution_* models.
42 lines
1.7 KiB
Diff
42 lines
1.7 KiB
Diff
diff -r cc988ec8da34 trytond/trytond/protocols/dispatcher.py
|
|
--- a/trytond/trytond/protocols/dispatcher.py Mon Apr 23 17:12:37 2018 +0200
|
|
+++ b/trytond/trytond/protocols/dispatcher.py Fri May 11 12:53:17 2018 +0200
|
|
@@ -122,8 +122,19 @@
|
|
type, _ = method.split('.', 1)
|
|
name = '.'.join(method.split('.')[1:-1])
|
|
method = method.split('.')[-1]
|
|
- return pool.get(name, type=type), method
|
|
-
|
|
+ try:
|
|
+ obj = pool.get(name, type=type)
|
|
+ except KeyError:
|
|
+ if name[:15] == 'babi_execution_':
|
|
+ with Transaction().start(pool.database_name, request.user_id,
|
|
+ readonly=False):
|
|
+ Execution = pool.get('babi.report.execution')
|
|
+ execution = Execution(int(name[15:]))
|
|
+ execution.validate_model()
|
|
+ obj = pool.get(name, type=type)
|
|
+ else:
|
|
+ raise
|
|
+ return obj, method
|
|
|
|
@app.auth_required
|
|
@with_pool
|
|
diff -r d875ab180d75 trytond/ir/model.py
|
|
--- a/trytond/trytond/ir/model.py Mon May 06 14:45:35 2019 +0200
|
|
+++ b/trytond/trytond/ir/model.py Wed May 22 00:18:59 2019 +0200
|
|
@@ -587,8 +587,9 @@
|
|
# XXX Can not check access right on instance method
|
|
selection = []
|
|
for model_name, _ in selection:
|
|
- if model_name and not cls.check(model_name, mode=mode,
|
|
- raise_exception=False):
|
|
+ if (model_name and not model_name.startswith('babi_execution_')
|
|
+ and not cls.check(model_name, mode=mode,
|
|
+ raise_exception=False)):
|
|
return False
|
|
return True
|
|
else:
|
|
|