From 55878df5fff0e6da926e4503b13a51052a4201e0 Mon Sep 17 00:00:00 2001
From: Toufik Benjaa <tbe@odoo.com>
Date: Wed, 14 Mar 2018 15:36:03 +0100
Subject: [PATCH] [FIX] account_payment: Restrain access to invoice's partner

- Restrain the creation of transaction for an invoice to the invoice partner.
- Removed the callback_method argument as it was unused.
---
 addons/account_payment/controllers/payment.py | 30 ++++++++-----------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/addons/account_payment/controllers/payment.py b/addons/account_payment/controllers/payment.py
index 2916a512b51f..e2a5e6dbea98 100644
--- a/addons/account_payment/controllers/payment.py
+++ b/addons/account_payment/controllers/payment.py
@@ -8,7 +8,7 @@ from odoo.http import request, route
 
 class PaymentPortal(http.Controller):
 
-    @route('/invoice/pay/<int:invoice_id>/form_tx', type='json', auth="public", website=True)
+    @route('/invoice/pay/<int:invoice_id>/form_tx', type='json', auth="user", website=True)
     def invoice_pay_form(self, acquirer_id, invoice_id, save_token=False, access_token=None, **kwargs):
         """ Json method that creates a payment.transaction, used to create a
         transaction when the user clicks on 'pay now' button on the payment
@@ -17,11 +17,13 @@ class PaymentPortal(http.Controller):
         :return html: form containing all values related to the acquirer to
                       redirect customers to the acquirer website """
         success_url = kwargs.get('success_url', '/my')
-        callback_method = kwargs.get('callback_method', '')
-
         invoice_sudo = request.env['account.invoice'].sudo().browse(invoice_id)
         if not invoice_sudo:
             return False
+        # Check if the current user has access to this invoice
+        commercial_partner_id = request.env.user.partner_id.commercial_partner_id.id
+        if request.env['account.invoice'].sudo().search_count([('id', '=', invoice_id), ('message_partner_ids', 'child_of', commercial_partner_id)]) == 0:
+            return False
 
         try:
             acquirer = request.env['payment.acquirer'].browse(int(acquirer_id))
@@ -33,12 +35,7 @@ class PaymentPortal(http.Controller):
             invoice_sudo,
             acquirer,
             payment_token=token,
-            tx_type='form_save' if save_token else 'form',
-            add_tx_values={
-                'callback_model_id': request.env['ir.model'].sudo().search([('model', '=', invoice_sudo._name)], limit=1).id,
-                'callback_res_id': invoice_sudo.id,
-                'callback_method': callback_method,
-            })
+            tx_type='form_save' if save_token else 'form')
 
         # set the transaction id into the session
         request.session['portal_invoice_%s_transaction_id' % invoice_sudo.id] = tx.id
@@ -53,12 +50,11 @@ class PaymentPortal(http.Controller):
             }
         )
 
-    @http.route('/invoice/pay/<int:invoice_id>/s2s_token_tx', type='http', auth='public', website=True)
+    @http.route('/invoice/pay/<int:invoice_id>/s2s_token_tx', type='http', auth='user', website=True)
     def invoice_pay_token(self, invoice_id, pm_id=None, **kwargs):
         """ Use a token to perform a s2s transaction """
         error_url = kwargs.get('error_url', '/my')
         success_url = kwargs.get('success_url', '/my')
-        callback_method = kwargs.get('callback_method', '')
         access_token = kwargs.get('access_token')
         params = {}
         if access_token:
@@ -69,6 +65,11 @@ class PaymentPortal(http.Controller):
             params['error'] = 'pay_invoice_invalid_doc'
             return request.redirect(_build_url_w_params(error_url, params))
 
+        # Check if the current user has access to this invoice
+        commercial_partner_id = request.env.user.partner_id.commercial_partner_id.id
+        if request.env['account.invoice'].sudo().search_count([('id', '=', invoice_id), ('message_partner_ids', 'child_of', commercial_partner_id)]) == 0:
+            return False
+
         try:
             token = request.env['payment.token'].sudo().browse(int(pm_id))
         except (ValueError, TypeError):
@@ -82,12 +83,7 @@ class PaymentPortal(http.Controller):
             invoice_sudo,
             token.acquirer_id,
             payment_token=token,
-            tx_type='server2server',
-            add_tx_values={
-                'callback_model_id': request.env['ir.model'].sudo().search([('model', '=', invoice_sudo._name)], limit=1).id,
-                'callback_res_id': invoice_sudo.id,
-                'callback_method': callback_method,
-            })
+            tx_type='server2server')
 
         # set the transaction id into the session
         request.session['portal_invoice_%s_transaction_id' % invoice_sudo.id] = tx.id
-- 
GitLab