[FIX] website: public user should see published pp

As the public user, browse the website where you usually should see some profile pictures (e.g. inside the forum). All the images are wrongly replaced by the grey avatar placeholder. When using `ir.binary._find_record` it was checking the access rights and raising `AccessError` early even if the record was `website_published`. closes odoo/odoo#113427 Signed-off-by: Julien Castiaux (juc) <juc@odoo.com>

[FIX] website: public user should see published pp
0611fb43 · Julien Castiaux · ef57d538 · 0611fb43 · 0611fb43 · 0611fb43
Commit 0611fb43 authored 2 years ago by Julien Castiaux
--- a/addons/website/models/ir_binary.py
+++ b/addons/website/models/ir_binary.py
@@ -22,7 +22,10 @@ class IrBinary(models.AbstractModel):
        if not record:
            record = super()._find_record(xmlid, res_model, res_id, access_token)

-        if 'website_published' in record and record.sudo().website_published:
-            record = record.sudo()
-
        return record
+
+    def _find_record_check_access(self, record, access_token):
+        if 'website_published' in record._fields and record.sudo().website_published:
+            return record.sudo()
+
+        return super()._find_record_check_access(record, access_token)
--- a/addons/website/tests/test_controllers.py
+++ b/addons/website/tests/test_controllers.py
@@ -90,3 +90,16 @@ class TestControllers(tests.HttpCase):
        }
        self.assertEqual(submap(res.headers, headers.keys()), headers)
        self.assertEqual(res.content, attachment.raw)
+
+    def test_04_website_partner_avatar(self):
+        partner = self.env['res.partner'].create({'name': "Jack O'Neill"})
+
+        with self.subTest(published=False):
+            partner.website_published = False
+            res = self.url_open(f'/website/image/res.partner/{partner.id}/avatar_128?download=1')
+            self.assertEqual(res.status_code, 404, "Public user should't access avatar of unpublished partners")
+
+        with self.subTest(published=True):
+            partner.website_published = True
+            res = self.url_open(f'/website/image/res.partner/{partner.id}/avatar_128?download=1')
+            self.assertEqual(res.status_code, 200, "Public user should access avatar of published partners")
--- a/addons/website/tests/test_performance.py
+++ b/addons/website/tests/test_performance.py
@@ -48,8 +48,8 @@ class TestStandardPerformance(UtilPerf):
        self.authenticate('demo', 'demo')
        self.env['res.users'].sudo().browse(2).website_published = True
        url = '/web/image/res.users/2/image_256'
-        self.assertEqual(self._get_url_hot_query(url), 8)
-        self.assertEqual(self._get_url_hot_query(url, cache=False), 8)
+        self.assertEqual(self._get_url_hot_query(url), 6)
+        self.assertEqual(self._get_url_hot_query(url, cache=False), 6)

    @mute_logger('odoo.http')
    def test_20_perf_sql_img_controller_bis(self):

--- a/odoo/addons/base/models/ir_binary.py
+++ b/odoo/addons/base/models/ir_binary.py
@@ -46,12 +46,15 @@ class IrBinary(models.AbstractModel):
        if not record:
            raise MissingError(f"No record found for xmlid={xmlid}, res_model={res_model}, id={res_id}")

+        record = self._find_record_check_access(record, access_token)
+        return record
+
+    def _find_record_check_access(self, record, access_token):
        if record._name == 'ir.attachment':
-            record = record.validate_access(access_token)
-        else:
-            record.check_access_rights('read')
-            record.check_access_rule('read')
+            return record.validate_access(access_token)

+        record.check_access_rights('read')
+        record.check_access_rule('read')
        return record

    def _record_to_stream(self, record, field_name):