diff --git a/addons/auth_ldap/users_ldap.py b/addons/auth_ldap/users_ldap.py
index 2c7523db4303cf1db9290c6bca55dfdd3a9b4ff3..92d723af3d97df100edcc6d884a040b52433a5c3 100644
--- a/addons/auth_ldap/users_ldap.py
+++ b/addons/auth_ldap/users_ldap.py
@@ -249,6 +249,10 @@ class users(osv.osv):
return user_id
registry = RegistryManager.get(db)
with registry.cursor() as cr:
+ cr.execute("SELECT id, active FROM res_users WHERE lower(login)=%s", (login,))
+ res = cr.fetchone()
+ if res:
+ return False
ldap_obj = registry.get('res.company.ldap')
for conf in ldap_obj.get_ldap_dicts(cr):
entry = ldap_obj.authenticate(conf, login, password)
diff --git a/addons/payment/__openerp__.py b/addons/payment/__openerp__.py
index c192bec7c1b48cb515dc0d5b31b5f19a2e127016..a3843a872c1e387ebf57b24eeb67bbfe914e170d 100644
--- a/addons/payment/__openerp__.py
+++ b/addons/payment/__openerp__.py
@@ -12,6 +12,7 @@
'views/payment_acquirer.xml',
'views/res_config_view.xml',
'security/ir.model.access.csv',
+ 'security/payment_security.xml',
],
'installable': True,
'auto_install': True,
diff --git a/addons/payment/security/ir.model.access.csv b/addons/payment/security/ir.model.access.csv
index 18f9893947210414233f4eae4ba98a3c4e4de66e..f52f9a44d4e697a5cc679d23a7eb977055ab23fd 100644
--- a/addons/payment/security/ir.model.access.csv
+++ b/addons/payment/security/ir.model.access.csv
@@ -2,6 +2,6 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
payment_acquirer_all,payment.acquirer.all,model_payment_acquirer,,1,0,0,0
payment_acquirer_user,payment.acquirer.user,model_payment_acquirer,base.group_user,1,1,1,0
payment_acquirer_system,payment.acquirer.system,model_payment_acquirer,base.group_system,1,1,1,1
-payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,1,1,0
+payment_transaction_all,payment.transaction.all,model_payment_transaction,,1,0,0,0
payment_transaction_user,payment.transaction.user,model_payment_transaction,base.group_user,1,1,1,0
payment_transaction_system,payment.transaction.system,model_payment_transaction,base.group_system,1,1,1,1
\ No newline at end of file
diff --git a/addons/payment/security/payment_security.xml b/addons/payment/security/payment_security.xml
new file mode 100644
index 0000000000000000000000000000000000000000..7bae346c6487c344b6b2eaf3698975dbbc9e25f6
--- /dev/null
+++ b/addons/payment/security/payment_security.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<openerp>
+ <data noupdate="1">
+
+ <record id="payment_transaction_user_rule" model="ir.rule">
+ <field name="name">Access own payment transaction only</field>
+ <field name="model_id" ref="payment.model_payment_transaction"/>
+ <field name="domain_force">[
+ '|',
+ ('partner_id','=',False),
+ ('partner_id','=',user.partner_id.id)
+ ]</field>
+ <field name="groups" eval="[(4, ref('base.group_user')), (4, ref('base.group_portal')), (4, ref('base.group_public'))]"/>
+ </record>
+
+ <record id="payment_transaction_salesman_rule" model="ir.rule">
+ <field name="name">Access every payment transaction</field>
+ <field name="model_id" ref="payment.model_payment_transaction"/>
+ <field name="domain_force">[(1, '=', 1)]</field>
+ <field name="groups" eval="[(4, ref('base.group_sale_salesman'))]"/>
+ </record>
+
+ </data>
+</openerp>
diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py
index 3021c685e90fa80231befb180522f5ef70d7d7ef..c94622a690bf8b4e939639790b53acccda4148fd 100644
--- a/addons/payment_paypal/models/paypal.py
+++ b/addons/payment_paypal/models/paypal.py
@@ -14,6 +14,7 @@ from openerp.addons.payment.models.payment_acquirer import ValidationError
from openerp.addons.payment_paypal.controllers.main import PaypalController
from openerp.osv import osv, fields
from openerp.tools.float_utils import float_compare
+from openerp import SUPERUSER_ID
_logger = logging.getLogger(__name__)
@@ -69,13 +70,14 @@ class AcquirerPaypal(osv.Model):
res = cr.fetchall()
for (company_id, company_paypal_account) in res:
if company_paypal_account:
- company_paypal_ids = self.search(cr, uid, [('company_id', '=', company_id), ('name', '=', 'paypal')], limit=1, context=context)
+ company_paypal_ids = self.search(cr, uid, [('company_id', '=', company_id), ('provider', '=', 'paypal')], limit=1, context=context)
if company_paypal_ids:
self.write(cr, uid, company_paypal_ids, {'paypal_email_account': company_paypal_account}, context=context)
else:
paypal_view = self.pool['ir.model.data'].get_object(cr, uid, 'payment_paypal', 'paypal_acquirer_button')
self.create(cr, uid, {
- 'name': 'paypal',
+ 'name': 'Paypal',
+ 'provider': 'paypal',
'paypal_email_account': company_paypal_account,
'view_template_id': paypal_view.id,
}, context=context)
@@ -104,7 +106,7 @@ class AcquirerPaypal(osv.Model):
return fees
def paypal_form_generate_values(self, cr, uid, id, partner_values, tx_values, context=None):
- base_url = self.pool['ir.config_parameter'].get_param(cr, uid, 'web.base.url')
+ base_url = self.pool['ir.config_parameter'].get_param(cr, SUPERUSER_ID, 'web.base.url')
acquirer = self.browse(cr, uid, id, context=context)
paypal_tx_values = dict(tx_values)
diff --git a/addons/point_of_sale/point_of_sale.py b/addons/point_of_sale/point_of_sale.py
index 67fdf5cf196ccd8c0c390b4cb2f7c8a518b39591..aeb1ca8ea462a08ebcc59c4f8d244681972799dd 100644
--- a/addons/point_of_sale/point_of_sale.py
+++ b/addons/point_of_sale/point_of_sale.py
@@ -396,6 +396,7 @@ class pos_session(osv.osv):
if not cashids:
cashids = journal_proxy.search(cr, uid, [('journal_user','=',True)], context=context)
+ journal_proxy.write(cr, uid, cashids, {'journal_user': True})
jobj.write(cr, uid, [pos_config.id], {'journal_ids': [(6,0, cashids)]})
diff --git a/addons/portal_sale/security/ir.model.access.csv b/addons/portal_sale/security/ir.model.access.csv
index 02c4db9fb1c2929e2e4dd6e9b9b0d8afd3fa0547..88cd0e961d3075259660a3aec958d9a61c0187f2 100644
--- a/addons/portal_sale/security/ir.model.access.csv
+++ b/addons/portal_sale/security/ir.model.access.csv
@@ -9,3 +9,7 @@ access_product_list,product.pricelist,product.model_product_pricelist,base.group
access_res_partner,res.partner,base.model_res_partner,base.group_portal,1,0,0,0
access_account_tax,account.tax,account.model_account_tax,base.group_portal,1,0,0,0
access_res_partner_category,res.partner.category,base.model_res_partner_category,base.group_portal,1,0,0,0
+access_product_attribute_portal,product.attribute portal,product.model_product_attribute,base.group_portal,1,0,0,0
+access_product_attribute_value_portal,product.attribute value portal,product.model_product_attribute_value,base.group_portal,1,0,0,0
+access_product_attribute_price_portal,product.attribute price portal,product.model_product_attribute_price,base.group_portal,1,0,0,0
+access_product_attribute_line_portal,product.attribute line portal,product.model_product_attribute_line,base.group_portal,1,0,0,0
diff --git a/addons/website_sale/controllers/main.py b/addons/website_sale/controllers/main.py
index 537f2f004f7119116a516ac8369eb9cb9e3a80d8..75d5a4058af6108afe76270ea316c0e48cc68ad3 100644
--- a/addons/website_sale/controllers/main.py
+++ b/addons/website_sale/controllers/main.py
@@ -700,7 +700,7 @@ class website_sale(http.Controller):
}
tx_ids = request.registry['payment.transaction'].search(
- cr, uid, [
+ cr, SUPERUSER_ID, [
'|', ('sale_order_id', '=', order.id), ('reference', '=', order.name)
], context=context)
@@ -715,7 +715,7 @@ class website_sale(http.Controller):
message = ""
validation = None
else:
- tx = request.registry['payment.transaction'].browse(cr, uid, tx_ids[0], context=context)
+ tx = request.registry['payment.transaction'].browse(cr, SUPERUSER_ID, tx_ids[0], context=context)
state = tx.state
if state == 'done':
message = '<p>%s</p>' % _('Your payment has been received.')
diff --git a/addons/website_sale/models/sale_order.py b/addons/website_sale/models/sale_order.py
index 60785910834f865aea5e0917a22e52f6f99bd0b8..ebc7bcab5b7608564dbd07211c8068c2223e03ff 100644
--- a/addons/website_sale/models/sale_order.py
+++ b/addons/website_sale/models/sale_order.py
@@ -205,9 +205,9 @@ class website(orm.Model):
transaction_obj = self.pool.get('payment.transaction')
tx_id = request.session.get('sale_transaction_id')
if tx_id:
- tx_ids = transaction_obj.search(cr, uid, [('id', '=', tx_id), ('state', 'not in', ['cancel'])], context=context)
+ tx_ids = transaction_obj.search(cr, SUPERUSER_ID, [('id', '=', tx_id), ('state', 'not in', ['cancel'])], context=context)
if tx_ids:
- return transaction_obj.browse(cr, uid, tx_ids[0], context=context)
+ return transaction_obj.browse(cr, SUPERUSER_ID, tx_ids[0], context=context)
else:
request.session['sale_transaction_id'] = False
return False
diff --git a/addons/website_sale/views/sale_order.xml b/addons/website_sale/views/sale_order.xml
index ad90e1e7c4377f03051ae3c51befc7fdb4fcc2a0..2568ec21603bd444c41ed93b820057e1f4845f70 100644
--- a/addons/website_sale/views/sale_order.xml
+++ b/addons/website_sale/views/sale_order.xml
@@ -8,8 +8,8 @@
<field name="inherit_id" ref="sale.view_order_form"/>
<field name="arch" type="xml">
<xpath expr="//field[@name='amount_total']" position="after">
- <field name="payment_acquirer_id" readonly="1" attrs="{'invisible': [('payment_acquirer_id', '=', False)]}"/>
- <field name="payment_tx_id" readonly="1" attrs="{'invisible': [('payment_acquirer_id', '=', False)]}"/>
+ <field name="payment_acquirer_id" readonly="1" attrs="{'invisible': [('payment_acquirer_id', '=', False)]}" options='{"no_open":True}'/>
+ <field name="payment_tx_id" readonly="1" attrs="{'invisible': [('payment_acquirer_id', '=', False)]}" groups="base.group_no_one"/>
</xpath>
</field>
</record>
diff --git a/openerp/models.py b/openerp/models.py
index da53a7633767368c9a40c56f07a259b3a26a19d0..6b909be10437bf1294abef0d96e4ef6b168c1416 100644
--- a/openerp/models.py
+++ b/openerp/models.py
@@ -3694,6 +3694,7 @@ class BaseModel(object):
readonly = None
self.check_field_access_rights(cr, user, 'write', vals.keys())
+ deleted_related = defaultdict(list)
for field in vals.keys():
fobj = None
if field in self._columns:
@@ -3702,6 +3703,10 @@ class BaseModel(object):
fobj = self._inherit_fields[field][2]
if not fobj:
continue
+ if fobj._type in ['one2many', 'many2many'] and vals[field]:
+ for wtuple in vals[field]:
+ if isinstance(wtuple, (tuple, list)) and wtuple[0] == 2:
+ deleted_related[fobj._obj].append(wtuple[1])
groups = fobj.write
if groups:
@@ -3905,7 +3910,8 @@ class BaseModel(object):
for id in ids_to_update:
if id not in done[key]:
done[key][id] = True
- todo.append(id)
+ if id not in deleted_related[model_name]:
+ todo.append(id)
self.pool[model_name]._store_set_values(cr, user, todo, fields_to_recompute, context)
# recompute new-style fields
diff --git a/openerp/modules/loading.py b/openerp/modules/loading.py
index 0568b0d1a3882fa5e2f67ed768b2f4136dffd784..61e573de3ffde95d884524586a72e4bae002f0bd 100644
--- a/openerp/modules/loading.py
+++ b/openerp/modules/loading.py
@@ -278,6 +278,7 @@ def load_modules(db, force_demo=False, status=None, update_module=False):
if not openerp.modules.db.is_initialized(cr):
_logger.info("init db")
openerp.modules.db.initialize(cr)
+ update_module = True # process auto-installed modules
tools.config["init"]["all"] = 1
tools.config['update']['all'] = 1
if not tools.config['without_demo']: