From a7c32029aaf595b9b3ae13b9c425e384ab4c8305 Mon Sep 17 00:00:00 2001
From: Aaron Bohy <aab@odoo.com>
Date: Wed, 13 Sep 2023 11:56:03 +0000
Subject: [PATCH] [FIX] web: action service: sanitize action.domain

When it is unset, the domain of an action can be either false or
the empty string, which in both cases means []. Before this commit,
we didn't process the domain in thoses cases (i.e. we kept the
false or empty string value). However, having an empty string as
domain could cause issues if it is manipulated by Domain/pyutils.
In particular, in stock.picking, clicking on "Insert menu in
spreadsheet" crashed before this commit.

To prevent those issues from happening, this commit sanitizes the
domain of the action at the first entry point, such that it's
always an array (the empty array in our case).

This commit comes with a test in enterprise, which reproduces the
scenario given above, as we couldn't find framework and blackbox
scenario to highlight it.

closes odoo/odoo#135369

X-original-commit: 0fde590bee71618f78e5f954349530bd007c62cf
Related: odoo/enterprise#47363
Signed-off-by: Samuel Degueldre (sad) <sad@odoo.com>
Signed-off-by: Aaron Bohy (aab) <aab@odoo.com>
---
 .../src/webclient/actions/action_service.js       | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/addons/web/static/src/webclient/actions/action_service.js b/addons/web/static/src/webclient/actions/action_service.js
index ea01ced3b318..0c0d963f44ee 100644
--- a/addons/web/static/src/webclient/actions/action_service.js
+++ b/addons/web/static/src/webclient/actions/action_service.js
@@ -201,16 +201,11 @@ function makeActionManager(env) {
             // do nothing, the action might simply not be serializable
         }
         action.context = makeContext([context, action.context], env.services.user.context);
-        if (action.domain) {
-            const domain = action.domain || [];
-            action.domain =
-                typeof domain === "string"
-                    ? evaluateExpr(
-                          domain,
-                          Object.assign({}, env.services.user.context, action.context)
-                      )
-                    : domain;
-        }
+        const domain = action.domain || [];
+        action.domain =
+            typeof domain === "string"
+                ? evaluateExpr(domain, Object.assign({}, env.services.user.context, action.context))
+                : domain;
         if (action.help) {
             const htmlHelp = document.createElement("div");
             htmlHelp.innerHTML = action.help;
-- 
GitLab