-
- Downloads
[FIX] models, test_access_rights: restore normal ACL check
Because of 4b1cb41c, we might try to read the field 'active' on a record on which we can't read fields besides the name. This thus triggers an access error where there should not have been. In particular, this is the case for portal users: most often the records they can access point to records that they can't read (e.g. the partner of the internal user assigned to the ticket). As a result, clicking on any link creates an ACL, and thus redirects to the home page. It turns out that filtered_domain was primarily used on already loaded records, typically for the write, so it was assumed that the records could be read in the first place. However in the use-case of the portal, there is an explicit check on the read rights with the portal user, explaining the discrepancy. Since in the general case filtered_domain should be able to read all fields to evaluate the domain, we put it in sudo. fix co-authored with @rco closes odoo/odoo#38540 X-original-commit: cff5cc8c Signed-off-by:Nans Lefebvre (len) <len@odoo.com>
Showing
- odoo/addons/test_access_rights/__manifest__.py 1 addition, 0 deletionsodoo/addons/test_access_rights/__manifest__.py
- odoo/addons/test_access_rights/ir.model.access.csv 2 additions, 0 deletionsodoo/addons/test_access_rights/ir.model.access.csv
- odoo/addons/test_access_rights/models.py 11 additions, 0 deletionsodoo/addons/test_access_rights/models.py
- odoo/addons/test_access_rights/security.xml 12 additions, 0 deletionsodoo/addons/test_access_rights/security.xml
- odoo/addons/test_access_rights/tests/__init__.py 1 addition, 0 deletionsodoo/addons/test_access_rights/tests/__init__.py
- odoo/addons/test_access_rights/tests/test_check_access.py 40 additions, 0 deletionsodoo/addons/test_access_rights/tests/test_check_access.py
- odoo/models.py 1 addition, 1 deletionodoo/models.py
Loading
Please register or sign in to comment