[IMP] portal: allow user with token to see attachments

Spec ==== Before this commit if a user has access to a document thanks to an access_token, he would already be able to see the chatter for the document, but he would not be able to download the attachments that are shown to him on that same chatter. The goal of this commit it to let the user download those attachments. This makes sense especially since messages publicly posted in the chatter might generate emails to the user, and the attachments will already be attached to those emails, so this PR is not actually granting access to more information to the user in a typical flow. The only difference is when said user was added as a follower after the attachments have been posted in which case he will be able to read them even though he didn't get the original emails, but this is consistent with how he will also be able to read the existing messages even though he didn't get them by email. Technical ========= To solve this issue we could have used the access_token of the main document, but this would allow any user with the token to access all attachments of the document, including those he should potentially not be able to see such as those from internal notes. Instead we ensure a different access_token is properly set on each of the attachments that are going to be shown and we update their links accordingly. This allows for a more granular access control, and it also takes advantage of the existing /web/content route without having to adapt it. opw-2040455 Also discussed in task-37264 closes #34384 closes odoo/odoo#35121 Signed-off-by: Olivier Dony (odo) <odo@openerp.com> Co-authored-by: Pratima Gupta <pgu@odoo.com> Co-authored-by: Sébastien Theys <seb@odoo.com>

[IMP] portal: allow user with token to see attachments
cc32b7d1 · Pratima Gupta · Sébastien Theys · 467ac984 · cc32b7d1 · cc32b7d1
Commit cc32b7d1 authored 5 years ago by Pratima Gupta Committed by Sébastien Theys 5 years ago
--- a/addons/portal/models/mail_message.py
+++ b/addons/portal/models/mail_message.py
@@ -20,6 +20,11 @@ class MailMessage(models.Model):
        message_values = self.read(fields_list)
        message_tree = dict((m.id, m) for m in self.sudo())
        self._message_read_dict_postprocess(message_values, message_tree)
+        IrAttachmentSudo = self.env['ir.attachment'].sudo()
+        for message in message_values:
+            for attachment in message.get('attachment_ids', []):
+                if not attachment.get('access_token'):
+                    attachment['access_token'] = IrAttachmentSudo.browse(attachment['id']).generate_access_token()[0]
        return message_values

    @api.model

--- a/addons/portal/static/src/xml/portal_chatter.xml
+++ b/addons/portal/static/src/xml/portal_chatter.xml
@@ -64,7 +64,7 @@

                        <div class="o_portal_chatter_attachments">
                            <div class="col-lg-2 col-md-3 text-center" t-foreach='message.attachment_ids' t-as='attachment'>
-                                <a t-attf-href="/web/content/#{attachment.id}?download=true" target="_blank">
+                                <a t-attf-href="/web/content/#{attachment.id}?download=true&amp;access_token=#{attachment.access_token}" target="_blank">
                                    <div class='oe_attachment_embedded o_image' t-att-title="attachment.name" t-att-data-mimetype="attachment.mimetype" t-attf-data-src="/web/image/#{attachment.id}/100x80"/>
                                    <div class='oe_attachment_name'><t t-raw='attachment.name'/></div>
                                </a>