[FIX] mail: fix issue when posting a message on a document whose first message...

[FIX] mail: fix issue when posting a message on a document whose first message / parent is not readable

How to reproduce
================

Have a portal user commenting a task on the customer portal. He may experience
a crash if previous message / first message is not available, for example
if it is internal or not published.

This is due to reference computation used in outgoing emails as it is based
on parent messageID. Accessing it crashes although it should not as it is
used only for technical purpose.

Fix
===

In this comme we fix that issue by browsing the reference message as sudo
to access its messageID. A test is added to avoid regressions.

Task ID 2061760
PR #36845

Signed-off-by: Thibault Delavallee (tde) <tde@openerp.com>
Co-authored-by: jpr-odoo <jpr@openerp.com>

addons/mail/models/res_partner.py

@@ -117,7 +117,8 @@ class Partner(models.Model):
             'mail_message_id': message.id,
             'mail_server_id': message.mail_server_id.id,
             'auto_delete': mail_auto_delete,
-            'references': message.parent_id.message_id if message.parent_id else False
+            # due to ir.rule, user have no right to access parent message if message is not published
+            'references': message.parent_id.sudo().message_id if message.parent_id else False,
         }
         if record:
             base_mail_values.update(self.env['mail.thread']._notify_specific_email_values_on_records(message, records=record))

addons/test_mail/tests/test_mail_message.py

 # -*- coding: utf-8 -*-
 # Part of Odoo. See LICENSE file for full copyright and licensing details.
 import base64
+from unittest.mock import patch
 
 from odoo.addons.test_mail.tests import common
 from odoo.addons.test_mail.tests.common import mail_new_test_user
+from odoo.addons.test_mail.models.test_mail_models import MailTestSimple
 from odoo.exceptions import AccessError, except_orm
 from odoo.tools import mute_logger
 from odoo.tests import tagged
@@ -291,6 +293,39 @@ class TestMessageAccess(common.BaseFunctionalTest, common.MockEmails):
         self.message.write({'partner_ids': [(4, self.user_employee.partner_id.id)]})
         self.env['mail.message'].sudo(self.user_employee).create({'model': 'mail.channel', 'res_id': self.group_private.id, 'body': 'Test', 'parent_id': self.message.id})
 
+    def test_mail_message_access_create_wo_parent_access(self):
+        """ Purpose is to test posting a message on a record whose first message / parent
+        is not accessible by current user. """
+        message = self.test_record.message_post(
+            body='<p>This is First Message</p>', subject='Subject',
+            message_type='comment', subtype='mail.mt_note')
+        # portal user have no rights to read the message
+        with self.assertRaises(except_orm):
+            message.sudo(self.user_portal).read(['subject, body'])
+
+        with patch.object(MailTestSimple, 'check_access_rights', return_value=True):
+            with self.assertRaises(except_orm):
+                message.sudo(self.user_portal).read(['subject, body'])
+
+            # parent message is accessible to references notification mail values
+            # for _notify method and portal user have no rights to send the message for this model
+            new_msg = self.test_record.sudo(self.user_portal).message_post(
+                body='<p>This is Second Message</p>',
+                subject='Subject',
+                parent_id=message.id,
+                partner_ids=[self.user_admin.partner_id.id],
+                message_type='comment',
+                subtype='mail.mt_comment',
+                mail_auto_delete=False)
+
+        new_mail = self.env['mail.mail'].search([
+            ('mail_message_id', '=', new_msg.id),
+            ('references', '=', message.message_id),
+        ])
+
+        self.assertTrue(new_mail)
+        self.assertEqual(new_msg.parent_id, message)
+
     # --------------------------------------------------
     # WRITE
     # --------------------------------------------------