From b2265108406e0dc1d1e1250fdbad5bc2cee2006d Mon Sep 17 00:00:00 2001
From: Ravi Gohil <rgo@odoo.com>
Date: Thu, 21 Jul 2016 15:14:02 +0530
Subject: [PATCH] [IMP] payment_*: avoid access error on provider model
As provider model is intended to be used internally restricting the read of
some private fields to the employee group avoid creating access issues.
---
addons/payment_adyen/models/adyen.py | 6 +++---
addons/payment_authorize/models/authorize.py | 4 ++--
addons/payment_buckaroo/models/buckaroo.py | 4 ++--
addons/payment_ogone/models/ogone.py | 10 +++++-----
addons/payment_paypal/models/paypal.py | 14 +++++++-------
addons/payment_sips/controllers/main.py | 2 +-
addons/payment_sips/models/sips.py | 4 ++--
addons/portal_sale/portal_sale.py | 4 ++--
8 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/addons/payment_adyen/models/adyen.py b/addons/payment_adyen/models/adyen.py
index 32e57ab0a476..a1424ebb3c53 100644
--- a/addons/payment_adyen/models/adyen.py
+++ b/addons/payment_adyen/models/adyen.py
@@ -36,9 +36,9 @@ class AcquirerAdyen(osv.Model):
return providers
_columns = {
- 'adyen_merchant_account': fields.char('Merchant Account', required_if_provider='adyen'),
- 'adyen_skin_code': fields.char('Skin Code', required_if_provider='adyen'),
- 'adyen_skin_hmac_key': fields.char('Skin HMAC Key', required_if_provider='adyen'),
+ 'adyen_merchant_account': fields.char('Merchant Account', required_if_provider='adyen', groups='base.group_user'),
+ 'adyen_skin_code': fields.char('Skin Code', required_if_provider='adyen', groups='base.group_user'),
+ 'adyen_skin_hmac_key': fields.char('Skin HMAC Key', required_if_provider='adyen', groups='base.group_user'),
}
def _adyen_generate_merchant_sig(self, acquirer, inout, values):
diff --git a/addons/payment_authorize/models/authorize.py b/addons/payment_authorize/models/authorize.py
index 2708daa37a69..5168d8d1b995 100644
--- a/addons/payment_authorize/models/authorize.py
+++ b/addons/payment_authorize/models/authorize.py
@@ -30,8 +30,8 @@ class PaymentAcquirerAuthorize(models.Model):
providers.append(['authorize', 'Authorize.Net'])
return providers
- authorize_login = fields.Char(string='API Login Id', required_if_provider='authorize')
- authorize_transaction_key = fields.Char(string='API Transaction Key', required_if_provider='authorize')
+ authorize_login = fields.Char(string='API Login Id', required_if_provider='authorize', groups='base.group_user')
+ authorize_transaction_key = fields.Char(string='API Transaction Key', required_if_provider='authorize', groups='base.group_user')
def _authorize_generate_hashing(self, values):
data = '^'.join([
diff --git a/addons/payment_buckaroo/models/buckaroo.py b/addons/payment_buckaroo/models/buckaroo.py
index eded57800f99..62b26783db51 100644
--- a/addons/payment_buckaroo/models/buckaroo.py
+++ b/addons/payment_buckaroo/models/buckaroo.py
@@ -43,8 +43,8 @@ class AcquirerBuckaroo(osv.Model):
return providers
_columns = {
- 'brq_websitekey': fields.char('WebsiteKey', required_if_provider='buckaroo'),
- 'brq_secretkey': fields.char('SecretKey', required_if_provider='buckaroo'),
+ 'brq_websitekey': fields.char('WebsiteKey', required_if_provider='buckaroo', groups='base.group_user'),
+ 'brq_secretkey': fields.char('SecretKey', required_if_provider='buckaroo', groups='base.group_user'),
}
def _buckaroo_generate_digital_sign(self, acquirer, inout, values):
diff --git a/addons/payment_ogone/models/ogone.py b/addons/payment_ogone/models/ogone.py
index de6d29a4b515..8e58cb8cd8ec 100644
--- a/addons/payment_ogone/models/ogone.py
+++ b/addons/payment_ogone/models/ogone.py
@@ -43,11 +43,11 @@ class PaymentAcquirerOgone(osv.Model):
return providers
_columns = {
- 'ogone_pspid': fields.char('PSPID', required_if_provider='ogone'),
- 'ogone_userid': fields.char('API User ID', required_if_provider='ogone'),
- 'ogone_password': fields.char('API User Password', required_if_provider='ogone'),
- 'ogone_shakey_in': fields.char('SHA Key IN', size=32, required_if_provider='ogone'),
- 'ogone_shakey_out': fields.char('SHA Key OUT', size=32, required_if_provider='ogone'),
+ 'ogone_pspid': fields.char('PSPID', required_if_provider='ogone', groups='base.group_user'),
+ 'ogone_userid': fields.char('API User ID', required_if_provider='ogone', groups='base.group_user'),
+ 'ogone_password': fields.char('API User Password', required_if_provider='ogone', groups='base.group_user'),
+ 'ogone_shakey_in': fields.char('SHA Key IN', size=32, required_if_provider='ogone', groups='base.group_user'),
+ 'ogone_shakey_out': fields.char('SHA Key OUT', size=32, required_if_provider='ogone', groups='base.group_user'),
}
def _ogone_generate_shasign(self, acquirer, inout, values):
diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py
index d66b55add500..d03c0b710274 100644
--- a/addons/payment_paypal/models/paypal.py
+++ b/addons/payment_paypal/models/paypal.py
@@ -41,17 +41,17 @@ class AcquirerPaypal(osv.Model):
return providers
_columns = {
- 'paypal_email_account': fields.char('Paypal Email ID', required_if_provider='paypal'),
+ 'paypal_email_account': fields.char('Paypal Email ID', required_if_provider='paypal', groups='base.group_user'),
'paypal_seller_account': fields.char(
- 'Paypal Merchant ID',
+ 'Paypal Merchant ID', groups='base.group_user',
help='The Merchant ID is used to ensure communications coming from Paypal are valid and secured.'),
- 'paypal_use_ipn': fields.boolean('Use IPN', help='Paypal Instant Payment Notification'),
+ 'paypal_use_ipn': fields.boolean('Use IPN', help='Paypal Instant Payment Notification', groups='base.group_user'),
# Server 2 server
'paypal_api_enabled': fields.boolean('Use Rest API'),
- 'paypal_api_username': fields.char('Rest API Username'),
- 'paypal_api_password': fields.char('Rest API Password'),
- 'paypal_api_access_token': fields.char('Access Token'),
- 'paypal_api_access_token_validity': fields.datetime('Access Token Validity'),
+ 'paypal_api_username': fields.char('Rest API Username', groups='base.group_user'),
+ 'paypal_api_password': fields.char('Rest API Password', groups='base.group_user'),
+ 'paypal_api_access_token': fields.char('Access Token', groups='base.group_user'),
+ 'paypal_api_access_token_validity': fields.datetime('Access Token Validity', groups='base.group_user'),
}
_defaults = {
diff --git a/addons/payment_sips/controllers/main.py b/addons/payment_sips/controllers/main.py
index 47c9c8d0f0e5..2355229fa41a 100644
--- a/addons/payment_sips/controllers/main.py
+++ b/addons/payment_sips/controllers/main.py
@@ -35,7 +35,7 @@ class SipsController(http.Controller):
sips = acquirer_obj.search([('provider', '=', 'sips')], limit=1)
- security = sips._sips_generate_shasign(post)
+ security = sips.sudo()._sips_generate_shasign(post)
if security == post['Seal']:
_logger.debug('Sips: validated data')
res = tx_obj.sudo().form_feedback(post, 'sips')
diff --git a/addons/payment_sips/models/sips.py b/addons/payment_sips/models/sips.py
index 980873178a97..2706b729ac49 100644
--- a/addons/payment_sips/models/sips.py
+++ b/addons/payment_sips/models/sips.py
@@ -41,8 +41,8 @@ class AcquirerSips(models.Model):
_inherit = 'payment.acquirer'
# Fields
sips_merchant_id = fields.Char('SIPS API User Password',
- required_if_provider='sips')
- sips_secret = fields.Char('SIPS Secret', size=64, required_if_provider='sips')
+ required_if_provider='sips', groups='base.group_user')
+ sips_secret = fields.Char('SIPS Secret', size=64, required_if_provider='sips', groups='base.group_user')
# Methods
def _get_sips_urls(self, environment):
diff --git a/addons/portal_sale/portal_sale.py b/addons/portal_sale/portal_sale.py
index 6bc44b5dc02d..1b884d075dd3 100644
--- a/addons/portal_sale/portal_sale.py
+++ b/addons/portal_sale/portal_sale.py
@@ -40,7 +40,7 @@ class sale_order(osv.Model):
for this in self.browse(cr, SUPERUSER_ID, ids, context=context):
if this.state not in ('draft', 'cancel') and not this.invoiced:
result[this.id] = payment_acquirer.render_payment_block(
- cr, uid, this.name, this.amount_total, this.pricelist_id.currency_id.id,
+ cr, SUPERUSER_ID, this.name, this.amount_total, this.pricelist_id.currency_id.id,
partner_id=this.partner_id.id, company_id=this.company_id.id, context=context)
return result
@@ -100,7 +100,7 @@ class account_invoice(osv.Model):
for this in self.browse(cr, uid, ids, context=context):
if this.type == 'out_invoice' and this.state not in ('draft', 'done') and not this.reconciled:
result[this.id] = payment_acquirer.render_payment_block(
- cr, uid, this.number, this.residual, this.currency_id.id,
+ cr, SUPERUSER_ID, this.number, this.residual, this.currency_id.id,
partner_id=this.partner_id.id, company_id=this.company_id.id, context=context)
return result
--
GitLab