From 7bcd64c51b2e87ece462c75a528c9ad6e1601633 Mon Sep 17 00:00:00 2001
From: flvr-odoo <flvr@odoo.com>
Date: Thu, 27 Apr 2023 14:59:32 +0000
Subject: [PATCH] [FIX] hr_expense: prevent linking of expense with no perm

Previously, a user could link his own expenses to a expense sheet
of someone else.

This would not be allowed upon creation but was allowed when updating
the values of the expense.

This commit add a simple check at the beginning of the write()

closes odoo/odoo#120008

Signed-off-by: Vranckx Florian (flvr) <flvr@odoo.com>
---
 addons/hr_expense/models/hr_expense.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/addons/hr_expense/models/hr_expense.py b/addons/hr_expense/models/hr_expense.py
index fc0f1e14d929..f31a5cb47837 100644
--- a/addons/hr_expense/models/hr_expense.py
+++ b/addons/hr_expense/models/hr_expense.py
@@ -278,6 +278,8 @@ class HrExpense(models.Model):
         return super(HrExpense, self).unlink()
 
     def write(self, vals):
+        if 'sheet_id' in vals:
+            self.env['hr.expense.sheet'].browse(vals['sheet_id']).check_access_rule('write')
         if 'tax_ids' in vals or 'analytic_account_id' in vals or 'account_id' in vals:
             if any(not expense.is_editable for expense in self):
                 raise UserError(_('You are not authorized to edit this expense report.'))
-- 
GitLab