[FIX] website_slides: fix domain computation of a channel slide list

When displaying a channel content all its slides are displayed in a list view or cards view. Even slides current user cannot read because he is not member of the channel are displayed, even if there is no link (and access rights prevent them for effectively accessing the slide). Purpose is to display a channel content without giving access through ACLS at its slides. However this domain computation was not correctly matching real use case * publishers should see everything; * public users should not see unpublished slides; * members not publishers should not see unpublished slides unless they uploaded it; Commit linked to task ID 1941250 and PR #31708.

[FIX] website_slides: fix domain computation of a channel slide list
6b7eeac5 · Thibault Delavallée · edf68bde · 6b7eeac5
Commit 6b7eeac5 authored 6 years ago by Thibault Delavallée
--- a/addons/website_slides/controllers/main.py
+++ b/addons/website_slides/controllers/main.py
@@ -69,21 +69,19 @@ class WebsiteSlides(WebsiteProfile):
        return True

    def _get_slide_detail(self, slide):
-        base_domain = request.website.website_domain()
+        base_domain = self._get_channel_slides_base_domain(slide.channel_id)
        if slide.channel_id.channel_type == 'documentation':
-            base_domain = expression.AND([base_domain, [('website_published', '=', True), ('id', '!=', slide.id)]])
-            related_domain = expression.AND([base_domain, [('channel_id', '=', slide.channel_id.id)]])
+            related_domain = expression.AND([base_domain, [('category_id', '=', slide.category_id.id)]])

            most_viewed_slides = request.env['slide.slide'].search(base_domain, limit=self.SLIDES_PER_ASIDE, order='total_views desc')
            related_slides = request.env['slide.slide'].search(related_domain, limit=self.SLIDES_PER_ASIDE)
-            uncategorized_slides, channel_slides = request.env['slide.slide'], request.env['slide.slide']
+            category_data = []
+            uncategorized_slides = request.env['slide.slide']
        else:
-            if slide.channel_id.can_publish:
-                related_domain = expression.AND([base_domain, [('channel_id', '=', slide.channel_id.id)]])
-            else:
-                related_domain = expression.AND([base_domain, [('channel_id', '=', slide.channel_id.id), ('website_published', '=', True)]])
-            channel_slides = request.env['slide.slide'].search(related_domain)
            most_viewed_slides, related_slides = request.env['slide.slide'], request.env['slide.slide']
+            category_data = slide.channel_id._get_categorized_slides(
+                base_domain, order=request.env['slide.slide']._order_by_strategy['sequence'],
+                force_void=True)
            # temporarily kept for fullscreen, to remove asap
            uncategorized_domain = expression.AND([base_domain, [('channel_id', '=', slide.channel_id.id), ('category_id', '=', False)]])
            uncategorized_slides = request.env['slide.slide'].search(uncategorized_domain)
@@ -101,7 +99,7 @@ class WebsiteSlides(WebsiteProfile):
            'previous_slide': previous_slide,
            'next_slide': next_slide,
            'uncategorized_slides': uncategorized_slides,
-            'channel_slides': channel_slides,
+            'category_data': category_data,
            # user
            'user': request.env.user,
            'is_public_user': request.website.is_public_user(),
@@ -124,6 +122,23 @@ class WebsiteSlides(WebsiteProfile):
    # CHANNEL UTILITIES
    # --------------------------------------------------

+    def _get_channel_slides_base_domain(self, channel):
+        """ base domain when fetching slide list data related to a given channel
+
+         * website related domain, and restricted to the channel;
+         * if publisher: everything is ok;
+         * if not publisher but has user: either slide is published, either
+           current user is the one that uploaded it;
+         * if not publisher and public: published;
+        """
+        base_domain = expression.AND([request.website.website_domain(), [('channel_id', '=', channel.id)]])
+        if not channel.can_publish:
+            if request.website.is_public_user():
+                base_domain = expression.AND([base_domain, [('website_published', '=', True)]])
+            else:
+                base_domain = expression.AND([base_domain, ['|', ('website_published', '=', True), ('user_id', '=', request.env.user.id)]])
+        return base_domain
+
    def _get_channel_progress(self, channel, include_quiz=False):
        """ Replacement to user_progress. Both may exist in some transient state. """
        slides = request.env['slide.slide'].sudo().search([('channel_id', '=', channel.id)])
@@ -294,7 +309,7 @@ class WebsiteSlides(WebsiteProfile):
        if not channel.can_access_from_current_website():
            raise werkzeug.exceptions.NotFound()

-        domain = [('channel_id', '=', channel.id)]
+        domain = self._get_channel_slides_base_domain(channel)

        pager_url = "/slides/%s" % (channel.id)
        pager_args = {}