[FIX] website: correctly check security of publish mixin

Commit 91696805 introduced a mechanism to check rights when writing or creating on `website_published` field. Problem is, `website_published` is just kind of a related to `is_published` which really stores the value. Thus, the checks would not work when writing/creating on `is_published`. That would leave a loophole to bypass the expected behavior.

[FIX] website: correctly check security of publish mixin
4086f344 · Romain Derie · Jeremy Kersten · 7a90dedd · 4086f344
Commit 4086f344 authored 5 years ago by Romain Derie Committed by Jeremy Kersten 5 years ago
--- a/addons/website/models/mixins.py
+++ b/addons/website/models/mixins.py
@@ -149,14 +149,16 @@ class WebsitePublishedMixin(models.AbstractModel):
    @api.model_create_multi
    def create(self, vals_list):
        records = super(WebsitePublishedMixin, self).create(vals_list)
-        is_publish_modified = any('website_published' in values for values in vals_list)
+        is_publish_modified = any(
+            [set(v.keys()) & {'is_published', 'website_published'} for v in vals_list]
+        )
        if is_publish_modified and not all(record.can_publish for record in records):
            raise AccessError(self._get_can_publish_error_message())

        return records

    def write(self, values):
-        if 'website_published' in values and not all(record.can_publish for record in self):
+        if 'is_published' in values and not all(record.can_publish for record in self):
            raise AccessError(self._get_can_publish_error_message())

        return super(WebsitePublishedMixin, self).write(values)