[FIX] hr_expense: prevent linking of expense with no perm

Previously, a user could link his own expenses to a expense sheet of someone else. This would not be allowed upon creation but was allowed when updating the values of the expense. This commit add a simple check at the beginning of the write() closes odoo/odoo#120008 Signed-off-by: Vranckx Florian (flvr) <flvr@odoo.com>

[FIX] hr_expense: prevent linking of expense with no perm
7bcd64c5 · flvr-odoo · 8aefb386 · 7bcd64c5
Commit 7bcd64c5 authored 1 year ago by flvr-odoo
--- a/addons/hr_expense/models/hr_expense.py
+++ b/addons/hr_expense/models/hr_expense.py
@@ -278,6 +278,8 @@ class HrExpense(models.Model):
        return super(HrExpense, self).unlink()

    def write(self, vals):
+        if 'sheet_id' in vals:
+            self.env['hr.expense.sheet'].browse(vals['sheet_id']).check_access_rule('write')
        if 'tax_ids' in vals or 'analytic_account_id' in vals or 'account_id' in vals:
            if any(not expense.is_editable for expense in self):
                raise UserError(_('You are not authorized to edit this expense report.'))