From 85053a8b667429d1510429cf5bd6ff665206a21d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Debauche?= <std@odoo.com>
Date: Tue, 27 Apr 2021 12:44:54 +0000
Subject: [PATCH] [IMP] website_event: avoid issue when registering as portal

A computed field on event may crash if current user is a portal user as it
tries to access registrations to know if current user is already participating
to the event.

We also fix ACL on the registrations as most code already use it as sudo and
do not access it directly. Only the event users or admins should access it
directly.

Task ID-2322411
PR odoo/odoo#

closes odoo/odoo#69928

Signed-off-by: Thibault Delavallee (tde) <tde@openerp.com>
---
 addons/event/i18n/event.pot          | 6 ++++++
 addons/event/models/event.py         | 8 ++++++++
 addons/website_event/models/event.py | 2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/addons/event/i18n/event.pot b/addons/event/i18n/event.pot
index 5cb73d8d1b6f..9aa14ad5fbd2 100644
--- a/addons/event/i18n/event.pot
+++ b/addons/event/i18n/event.pot
@@ -1705,6 +1705,12 @@ msgid ""
 "hosted online."
 msgstr ""
 
+#. module: event
+#: code:addons/event/models/event.py:386
+#, python-format
+msgid "Only event users or managers are allowed to create or update registrations."
+msgstr "Only event users or managers are allowed to create or update registrations."
+
 #. module: event
 #: model_terms:event.event,description:event.event_0
 msgid ""
diff --git a/addons/event/models/event.py b/addons/event/models/event.py
index 995f54769885..7e840c39c7c7 100644
--- a/addons/event/models/event.py
+++ b/addons/event/models/event.py
@@ -434,6 +434,14 @@ class EventRegistration(models.Model):
             registration.sudo().confirm_registration()
         return registration
 
+    @api.model
+    def check_access_rights(self, operation, raise_exception=True):
+        if not self.env.is_admin() and not self.user_has_groups('event.group_event_user'):
+            if raise_exception:
+                raise AccessError(_('Only event users or managers are allowed to create or update registrations.'))
+            return False
+        return super(EventRegistration, self).check_access_rights(operation, raise_exception)
+
     @api.model
     def _prepare_attendee_values(self, registration):
         """ Method preparing the values to create new attendees based on a
diff --git a/addons/website_event/models/event.py b/addons/website_event/models/event.py
index 86de729f85ba..7025337b1f94 100644
--- a/addons/website_event/models/event.py
+++ b/addons/website_event/models/event.py
@@ -45,7 +45,7 @@ class Event(models.Model):
             for event in self:
                 domain = ['&','&', '|', ('email', '=', email), ('partner_id', '=', self.env.user.partner_id.id),
                           ('event_id', '=', event.id), ('state', '!=', 'cancel')]
-                event.is_participating = self.env['event.registration'].search_count(domain)
+                event.is_participating = self.env['event.registration'].sudo().search_count(domain)
         else:
             self.is_participating = False
 
-- 
GitLab