From f96834b402214a8f51900d26c5845703b81c7501 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thibault=20Delavall=C3=A9e?= <tde@odoo.com>
Date: Tue, 6 Jun 2023 09:07:57 +0200
Subject: [PATCH] [FIX] mail: defensively evaluate 'partner_to' on mail
 templates

MailTemplate model has a 'partner_to' field is dynamically rendered to contain
partners being recipients. After rendering it should hold a comma-separated
list of partner IDs.

However as we are unsure it was correctly written better be defensive. We now
check that we can effectively transform items to IDs using 'isdigit()'.

Task-2612945 (Mail: Defensive email formatting)

Part-of: odoo/odoo#74474
---
 addons/mail/models/mail_template.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/addons/mail/models/mail_template.py b/addons/mail/models/mail_template.py
index 05231920c49d..287cda96dde4 100644
--- a/addons/mail/models/mail_template.py
+++ b/addons/mail/models/mail_template.py
@@ -154,7 +154,7 @@ class MailTemplate(models.Model):
             partner_to = values.pop('partner_to', '')
             if partner_to:
                 # placeholders could generate '', 3, 2 due to some empty field values
-                tpl_partner_ids = [int(pid) for pid in partner_to.split(',') if pid]
+                tpl_partner_ids = [int(pid.strip()) for pid in partner_to.split(',') if (pid and pid.strip().isdigit())]
                 partner_ids += self.env['res.partner'].sudo().browse(tpl_partner_ids).exists().ids
             results[res_id]['partner_ids'] = partner_ids
         return results
-- 
GitLab