[FIX] website_slides: prevent slide download for public users

Task #1930691 Purpose ======= If the download security is set to 'Authenticated users', the route should prevent public users from downloading the slides. closes #30281 closes odoo/odoo#30399

[FIX] website_slides: prevent slide download for public users
5a6c523c · Aurélien Warnon · f63569be · 5a6c523c
Commit 5a6c523c authored 6 years ago by Aurélien Warnon
--- a/addons/website_slides/controllers/main.py
+++ b/addons/website_slides/controllers/main.py
@@ -216,7 +216,7 @@ class WebsiteSlides(http.Controller):

    @http.route('''/slides/slide/<model("slide.slide", "[('channel_id.can_see', '=', True), ('download_security', '=', 'public')]"):slide>/download''', type='http', auth="public", website=True)
    def slide_download(self, slide):
-        if slide.download_security == 'public' or (slide.download_security == 'user' and request.session.uid):
+        if slide.download_security == 'public' or (slide.download_security == 'user' and request.env.user and request.env.user != request.website.user_id):
            filecontent = base64.b64decode(slide.datas)
            disposition = 'attachment; filename=%s.pdf' % werkzeug.urls.url_quote(slide.name)
            return request.make_response(