Commit 69c19f3c authored 2 years ago by Ivan Yelizariev Committed by Ivan Rasputin 1 year ago

[FIX] account: prevent reading fake binary fields over rpc

Since Odoo 16 [1] account module uses some non-storable computed Binary fields
to compute and access structured data. Those data is not transformed into binary
data and is not supposed to be used outside of server environment. There are
still use cases when ORM tries to process such fields as normal Binary fields.
For example, on using export wizard [2].

This commit fixes similar problem on reading `account.move{.line}` records via
rpc.

STEPS: create `account.move` record and read it via an RPC call [3]

```
account_move_id = 666
models.execute_kw(db, uid, password, 'account.move', 'read', [account_move_id])
```

SOLUTION

1. Add missing `exportable=False` to the fake Binary fields
2. Block access to such fields via method `check_field_access_rights`

[1]:
https://github.com/odoo/odoo/commit/d8d47f9ff8554f4b39487fd2f13c153c7d6f958d
[2]: https://github.com/odoo/odoo/commit/c925ecb2a22750524020f0d111888fd76eedb0cb
[3]: https://www.odoo.com/documentation/16.0/developer/api/external_api.html



opw-3099975

closes odoo/odoo#110699

Signed-off-by: William André (wan) <wan@odoo.com>

parent e78998c2

Branches