From 9a0267ee366c98902b0059af79c03ca56488df88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thibault=20Delavall=C3=A9e?= <tde@odoo.com>
Date: Tue, 24 Dec 2019 09:43:21 +0000
Subject: [PATCH] [FIX] website_slides: do not display links to unviewable
slides
Channel allow to browse slides and a list of available slide is displayed
as a left panel in the eLearning frontend. Even slides current user
cannot see are displayed in order to give some information about course
content. Accessible slides are clickable, other slides should be
displayed as strings. However due to some sudo when computing slide
informations all links are set as clickable.
There is no security issue as when being redirected to a slide the
user cannot access there is an acl error. However he should not have
the links displayed, just strings. This commit fixes that behavior.
closes odoo/odoo#42338
X-original-commit: 04a957bb18665957faf87b6c47996643adbd4558
Signed-off-by: Thibault Delavallee (tde) <tde@openerp.com>
---
.../website_slides/views/website_slides_templates_lesson.xml | 4 ++--
.../views/website_slides_templates_lesson_fullscreen.xml | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/addons/website_slides/views/website_slides_templates_lesson.xml b/addons/website_slides/views/website_slides_templates_lesson.xml
index 35d104c15895..806c940610c6 100644
--- a/addons/website_slides/views/website_slides_templates_lesson.xml
+++ b/addons/website_slides/views/website_slides_templates_lesson.xml
@@ -140,8 +140,8 @@
<ul class="collapse show p-0 m-0 list-unstyled" t-att-id="('collapse-%s') % (category.id if category else 0)" >
<t t-foreach="category_slide_ids" t-as="aside_slide">
<t t-set="slide_completed" t-value="channel_progress[aside_slide.id].get('completed')"/>
- <t t-set="is_member" t-value="aside_slide.channel_id.is_member"/>
- <t t-set="can_access" t-value="aside_slide.is_preview or is_member or aside_slide.channel_id.can_publish"/>
+ <t t-set="is_member" t-value="slide.channel_id.is_member"/>
+ <t t-set="can_access" t-value="aside_slide.is_preview or is_member or slide.channel_id.can_publish"/>
<li class="p-0 pb-1">
<a t-att-href="'/slides/slide/%s' % (slug(aside_slide)) if can_access else '#'"
t-att-class="'o_wslides_lesson_aside_list_link d-flex align-items-top px-2 pt-1 text-decoration-none %s%s' % (('bg-100 py-1 active' if aside_slide == slide else ''), 'text-muted' if not can_access else '')">
diff --git a/addons/website_slides/views/website_slides_templates_lesson_fullscreen.xml b/addons/website_slides/views/website_slides_templates_lesson_fullscreen.xml
index 090d4b879a03..715c6237e6f2 100644
--- a/addons/website_slides/views/website_slides_templates_lesson_fullscreen.xml
+++ b/addons/website_slides/views/website_slides_templates_lesson_fullscreen.xml
@@ -85,8 +85,8 @@
<ul class="o_wslides_fs_sidebar_section_slides collapse show position-relative px-0 pb-1 my-0 mx-n3" t-att-id="('collapse-%s') % (category.id if category else 0)">
<t t-foreach="slides" t-as="slide">
<t t-set="slide_completed" t-value="channel_progress[slide.id].get('completed')"/>
- <t t-set="is_member" t-value="slide.channel_id.is_member"/>
- <t t-set="can_access" t-value="slide.is_preview or is_member or slide.channel_id.can_publish"/>
+ <t t-set="is_member" t-value="current_slide.channel_id.is_member"/>
+ <t t-set="can_access" t-value="slide.is_preview or is_member or current_slide.channel_id.can_publish"/>
<li t-att-class="'o_wslides_fs_sidebar_list_item d-flex align-items-top py-1 %s' % ('active' if slide.id == current_slide.id else '')"
t-att-data-id="slide.id"
t-att-data-can-access="can_access"
--
GitLab