Skip to content
Snippets Groups Projects
Commit 55878df5 authored by Toufik Benjaa's avatar Toufik Benjaa
Browse files

[FIX] account_payment: Restrain access to invoice's partner 

- Restrain the creation of transaction for an invoice to the invoice partner.
- Removed the callback_method argument as it was unused.
parent 0f9bf4b0
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
addons/account_payment/controllers/payment.py
+ 13
17
View file @ 55878df5
......@@ -8,7 +8,7 @@ from odoo.http import request, route
class PaymentPortal(http.Controller):
@route('/invoice/pay/<int:invoice_id>/form_tx', type='json', auth="public", website=True)
@route('/invoice/pay/<int:invoice_id>/form_tx', type='json', auth="user", website=True)
def invoice_pay_form(self, acquirer_id, invoice_id, save_token=False, access_token=None, **kwargs):
""" Json method that creates a payment.transaction, used to create a
transaction when the user clicks on 'pay now' button on the payment
......@@ -17,11 +17,13 @@ class PaymentPortal(http.Controller):
:return html: form containing all values related to the acquirer to
redirect customers to the acquirer website """
success_url = kwargs.get('success_url', '/my')
callback_method = kwargs.get('callback_method', '')
invoice_sudo = request.env['account.invoice'].sudo().browse(invoice_id)
if not invoice_sudo:
return False
# Check if the current user has access to this invoice
commercial_partner_id = request.env.user.partner_id.commercial_partner_id.id
if request.env['account.invoice'].sudo().search_count([('id', '=', invoice_id), ('message_partner_ids', 'child_of', commercial_partner_id)]) == 0:
return False
try:
acquirer = request.env['payment.acquirer'].browse(int(acquirer_id))
......@@ -33,12 +35,7 @@ class PaymentPortal(http.Controller):
invoice_sudo,
acquirer,
payment_token=token,
tx_type='form_save' if save_token else 'form',
add_tx_values={
'callback_model_id': request.env['ir.model'].sudo().search([('model', '=', invoice_sudo._name)], limit=1).id,
'callback_res_id': invoice_sudo.id,
'callback_method': callback_method,
})
tx_type='form_save' if save_token else 'form')
# set the transaction id into the session
request.session['portal_invoice_%s_transaction_id' % invoice_sudo.id] = tx.id
......@@ -53,12 +50,11 @@ class PaymentPortal(http.Controller):
}
)
@http.route('/invoice/pay/<int:invoice_id>/s2s_token_tx', type='http', auth='public', website=True)
@http.route('/invoice/pay/<int:invoice_id>/s2s_token_tx', type='http', auth='user', website=True)
def invoice_pay_token(self, invoice_id, pm_id=None, **kwargs):
""" Use a token to perform a s2s transaction """
error_url = kwargs.get('error_url', '/my')
success_url = kwargs.get('success_url', '/my')
callback_method = kwargs.get('callback_method', '')
access_token = kwargs.get('access_token')
params = {}
if access_token:
......@@ -69,6 +65,11 @@ class PaymentPortal(http.Controller):
params['error'] = 'pay_invoice_invalid_doc'
return request.redirect(_build_url_w_params(error_url, params))
# Check if the current user has access to this invoice
commercial_partner_id = request.env.user.partner_id.commercial_partner_id.id
if request.env['account.invoice'].sudo().search_count([('id', '=', invoice_id), ('message_partner_ids', 'child_of', commercial_partner_id)]) == 0:
return False
try:
token = request.env['payment.token'].sudo().browse(int(pm_id))
except (ValueError, TypeError):
......@@ -82,12 +83,7 @@ class PaymentPortal(http.Controller):
invoice_sudo,
token.acquirer_id,
payment_token=token,
tx_type='server2server',
add_tx_values={
'callback_model_id': request.env['ir.model'].sudo().search([('model', '=', invoice_sudo._name)], limit=1).id,
'callback_res_id': invoice_sudo.id,
'callback_method': callback_method,
})
tx_type='server2server')
# set the transaction id into the session
request.session['portal_invoice_%s_transaction_id' % invoice_sudo.id] = tx.id
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment