[FIX] website_sale: retrieve transactions as superuser

Due to additional security rules, the transactions made as public user will have a new partner_id. The transaction needs to be retrieved as admin to be set in the context.
The operations in payment_get_status are made as superuser but the session_id is checked in the assert above to avoid url manipulation.

addons/website_sale/controllers/main.py

@@ -690,7 +690,7 @@ class Ecommerce(http.Controller):
             }
 
         tx_ids = request.registry['payment.transaction'].search(
-            cr, uid, [
+            cr, SUPERUSER_ID, [
                 '|', ('sale_order_id', '=', order.id), ('reference', '=', order.name)
             ], context=context)
 
@@ -705,7 +705,7 @@ class Ecommerce(http.Controller):
                 message = ""
                 validation = None
         else:
-            tx = request.registry['payment.transaction'].browse(cr, uid, tx_ids[0], context=context)
+            tx = request.registry['payment.transaction'].browse(cr, SUPERUSER_ID, tx_ids[0], context=context)
             state = tx.state
             if state == 'done':
                 message = '<p>%s</p>' % _('Your payment has been received.')

addons/website_sale/models/website.py

@@ -214,7 +214,7 @@ class Website(orm.Model):
     def preprocess_request(self, cr, uid, ids, request, context=None):
         request.context.update({
             'website_sale_order': self.ecommerce_get_current_order(cr, uid, context=context),
-            'website_sale_transaction': self.ecommerce_get_current_transaction(cr, uid, context=context)
+            'website_sale_transaction': self.ecommerce_get_current_transaction(cr, SUPERUSER_ID, context=context)
         })
         return super(Website, self).preprocess_request(cr, uid, ids, request, context=None)