From e8f558aac50f3ad628e9060d1ed212ae4321aa61 Mon Sep 17 00:00:00 2001
From: Jinal Patel <jip@odoo.com>
Date: Fri, 20 Aug 2021 07:14:09 +0000
Subject: [PATCH] [FIX] mail: fix ACLs issue with mail composer in new mode

As create_uid has no value on mail.compose.message model when being in onchange
or new mode, 'Mail Compose Message Rule' record rule may crash. In this
commit we fix that issue by adding a value for create_uid. An unit test is
added to ensure it effectively fixes the use case.

Steps to reproduce this warning:
 1. Create automated action for the 'mail.compose.message' model
 2. Try to open 'Email compose Wizard'

Warning:

"Due to security restrictions, you are not allowed to modify 'Email composition
wizard' (mail.compose.message) records.

Records: mail.compose.message,NewId_0x7f8e99762310 (id=NewId_0x7f8e99762310)
User: USERNAME (id=2)

This restriction is due to the following rules:

Contact your administrator to request access if necessary."

Task-2641572
opw-2628005
PR odoo#76159
Closes#75369

Part-of: odoo/odoo#76159
Co-authored-by: Thibault Delavallee <tde@odoo.com>
---
 addons/base_automation/tests/__init__.py      |  2 +
 .../tests/test_mail_composer.py               | 39 +++++++++++++++++++
 addons/mail/tests/test_mail_full_composer.py  |  2 +-
 addons/mail/wizard/mail_compose_message.py    |  4 ++
 4 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 addons/base_automation/tests/test_mail_composer.py

diff --git a/addons/base_automation/tests/__init__.py b/addons/base_automation/tests/__init__.py
index 92a8a4959d90..a6533bd6153b 100644
--- a/addons/base_automation/tests/__init__.py
+++ b/addons/base_automation/tests/__init__.py
@@ -1,3 +1,5 @@
 # -*- coding: utf-8 -*-
 # Part of Odoo. See LICENSE file for full copyright and licensing details.
+
 from . import test_automation
+from . import test_mail_composer
diff --git a/addons/base_automation/tests/test_mail_composer.py b/addons/base_automation/tests/test_mail_composer.py
new file mode 100644
index 000000000000..2609466facdc
--- /dev/null
+++ b/addons/base_automation/tests/test_mail_composer.py
@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from odoo.tests.common import tagged, HttpCase
+
+
+@tagged('-at_install', 'post_install', 'mail_composer')
+class TestMailFullComposer(HttpCase):
+
+    def test_full_composer_tour(self):
+        self.env['mail.template'].create({
+            'name': 'Test template',  # name hardcoded for test
+            'partner_to': '${object.id}',
+            'lang': '${object.lang}',
+            'auto_delete': True,
+            'model_id': self.ref('base.model_res_partner'),
+        })
+        test_user = self.env['res.users'].create({
+            'email': 'testuser@testuser.com',
+            'groups_id': [
+                (6, 0, [self.ref('base.group_user'), self.ref('base.group_partner_manager')]),
+            ],
+            'name': 'Test User',
+            'login': 'testuser',
+            'password': 'testuser',
+        })
+
+        automated_action = self.env['base.automation'].create({
+            'name': 'Test',
+            'active': True,
+            'trigger': 'on_change',
+            'on_change_field_ids': (4, self.ref('mail.field_mail_compose_message__template_id'),),
+            'state': 'code',
+            'model_id': self.env.ref('mail.model_mail_compose_message').id,
+        })
+
+        self.start_tour("/web#id=%d&model=res.partner" % test_user.partner_id, 'mail/static/tests/tours/mail_full_composer_test_tour.js', login='testuser')
+
+        automated_action.unlink()
diff --git a/addons/mail/tests/test_mail_full_composer.py b/addons/mail/tests/test_mail_full_composer.py
index 35dea3ae581e..e14e04288ead 100644
--- a/addons/mail/tests/test_mail_full_composer.py
+++ b/addons/mail/tests/test_mail_full_composer.py
@@ -4,7 +4,7 @@
 from odoo.tests.common import tagged, HttpCase
 
 
-@tagged('-at_install', 'post_install')
+@tagged('-at_install', 'post_install', 'mail_composer')
 class TestMailFullComposer(HttpCase):
 
     def test_full_composer_tour(self):
diff --git a/addons/mail/wizard/mail_compose_message.py b/addons/mail/wizard/mail_compose_message.py
index 327cad2bc8b8..cfca50912579 100644
--- a/addons/mail/wizard/mail_compose_message.py
+++ b/addons/mail/wizard/mail_compose_message.py
@@ -77,6 +77,10 @@ class MailComposer(models.TransientModel):
         if result.get('composition_mode') == 'comment' and (set(fields) & set(['model', 'res_id', 'partner_ids', 'record_name', 'subject'])):
             result.update(self.get_record_data(result))
 
+        # when being in new mode, create_uid is not granted -> ACLs issue may arise
+        if 'create_uid' in fields and 'create_uid' not in result:
+            result['create_uid'] = self.env.uid
+
         filtered_result = dict((fname, result[fname]) for fname in result if fname in fields)
         return filtered_result
 
-- 
GitLab