[FIX] project: access to portal task give access to attachment

If a visitor has access to a task through access_token, he should have access to the task attachments. He already see the list of attachment and their name, but since the task access_token is not propagated to the attachment he doesn't have the rights to see them. In this PR, we generate the attachments access_token and provide them to the user that is viewing a task with an access_token. opw-2125252 closes #41881 Signed-off-by: Nicolas Lempereur (nle) <nle@odoo.com>

[FIX] project: access to portal task give access to attachment
e7984c49 · Nicolas Lempereur · a47f5a83 · e7984c49 · e7984c49
Commit e7984c49 authored 5 years ago by Nicolas Lempereur
--- a/addons/project/controllers/portal.py
+++ b/addons/project/controllers/portal.py
@@ -213,5 +213,8 @@ class CustomerPortal(CustomerPortal):
        except (AccessError, MissingError):
            return request.redirect('/my')

+        # ensure attachment are accessible with access token inside template
+        for attachment in task_sudo.attachment_ids:
+            attachment.generate_access_token()
        values = self._task_get_page_view_values(task_sudo, access_token, **kw)
        return request.render("project.portal_my_task", values)
--- a/addons/project/views/project_portal_templates.xml
+++ b/addons/project/views/project_portal_templates.xml
@@ -238,8 +238,8 @@
                            <div class="row">
                                <div t-attf-class="col {{'col-lg-6' if not task.description else 'col-lg-12'}}">
                                    <ul class="list-group">
-                                        <a class="list-group-item list-group-item-action d-flex align-items-center oe_attachments py-1 px-2" t-foreach='task.attachment_ids' t-as='attachment' t-attf-href="/web/content/#{attachment.id}?download=true" target="_blank" data-no-post-process="">
-                                            <div class='oe_attachment_embedded o_image o_image_small mr-2 mr-lg-3' t-att-title="attachment.name" t-att-data-mimetype="attachment.mimetype" t-attf-data-src="/web/image/#{attachment.id}/50x40"/>
+                                        <a class="list-group-item list-group-item-action d-flex align-items-center oe_attachments py-1 px-2" t-foreach='task.attachment_ids' t-as='attachment' t-attf-href="/web/content/#{attachment.id}?download=true&amp;access_token=#{attachment.access_token}" target="_blank" data-no-post-process="">
+                                            <div class='oe_attachment_embedded o_image o_image_small mr-2 mr-lg-3' t-att-title="attachment.name" t-att-data-mimetype="attachment.mimetype" t-attf-data-src="/web/image/#{attachment.id}/50x40?access_token=#{attachment.access_token}"/>
                                            <div class='oe_attachment_name text-truncate'><t t-esc='attachment.name'/></div>
                                        </a>
                                    </ul>