changeset 6827:f58bbfe0aefb

Check read access on field in search order issue8189 review279061002
author Cédric Krier <ced@b2ck.com>
date Tue, 02 Apr 2019 19:01:33 +0200
parents 9be9a74cf3bd
children e71764e0ec1b
files CHANGELOG trytond/model/modelstorage.py trytond/tests/test_access.py
diffstat 3 files changed, 24 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGELOG	Sun Mar 31 00:15:10 2019 +0100
+++ b/CHANGELOG	Tue Apr 02 19:01:33 2019 +0200
@@ -1,3 +1,4 @@
+* Check read access on field in search order (issue8189)
 * Add base64 converter to URL map
 * Add HTML widget
 * Support import of native numeric, date and datetime data
--- a/trytond/model/modelstorage.py	Sun Mar 31 00:15:10 2019 +0100
+++ b/trytond/model/modelstorage.py	Tue Apr 02 19:01:33 2019 +0200
@@ -438,7 +438,7 @@
 
         ModelAccess.check(cls.__name__, 'read')
 
-        def check(domain, cls, to_check):
+        def check_domain(domain, cls, to_check):
             if is_leaf(domain):
                 local, relate = (domain[0].split('.', 1) + [None])[:2]
                 to_check[cls.__name__].add(local)
@@ -448,16 +448,29 @@
                     else:
                         target = cls._fields[local].get_target()
                     target_domain = [(relate,) + tuple(domain[1:])]
-                    check(target_domain, target, to_check)
+                    check_domain(target_domain, target, to_check)
             elif not domain:
                 return
             else:
                 i = 1 if domain[0] in ['OR', 'AND'] else 0
                 for d in domain[i:]:
-                    check(d, cls, to_check)
+                    check_domain(d, cls, to_check)
+
+        def check_order(order, cls, to_check):
+            if not order:
+                return
+            for oexpr, otype in order:
+                local, _, relate = oexpr.partition('.')
+                to_check[cls.__name__].add(local)
+                if relate:
+                    target = cls._fields[local].get_target()
+                    target_order = [(relate, otype)]
+                    check_order(target_order, target, to_check)
+
         if transaction.user and transaction.context.get('_check_access'):
             to_check = defaultdict(set)
-            check(domain, cls, to_check)
+            check_domain(domain, cls, to_check)
+            check_order(order, cls, to_check)
             for name, fields_names in to_check.items():
                 ModelAccess.check(name, 'read')
                 ModelFieldAccess.check(name, fields_names, 'read')
--- a/trytond/tests/test_access.py	Sun Mar 31 00:15:10 2019 +0100
+++ b/trytond/tests/test_access.py	Tue Apr 02 19:01:33 2019 +0200
@@ -299,6 +299,7 @@
         TestAccess.read([record.id], ['relate.value'])
         TestAccess.search([('relate.value', '=', 42)])
         TestAccess.search([('reference.value', '=', 42, 'test.access.relate')])
+        TestAccess.search([], order=[('relate.value', 'ASC')])
 
     @with_transaction(context=_context)
     def test_no_access_relate(self):
@@ -321,6 +322,8 @@
         with self.assertRaises(AccessError):
             TestAccess.search(
                 [('reference.value', '=', 42, 'test.access.relate')])
+        with self.assertRaises(AccessError):
+            TestAccess.search([], order=[('relate.value', 'ASC')])
 
 
 class ModelAccessWriteTestCase(_ModelAccessTestCase):
@@ -858,6 +861,7 @@
 
         TestAccess.search([('relate.value', '=', 42)])
         TestAccess.search([('reference.value', '=', 42, 'test.access.relate')])
+        TestAccess.search([], order=[('relate.value', 'ASC')])
 
     @with_transaction(context=_context)
     def test_no_access_search_relate(self):
@@ -880,6 +884,8 @@
         with self.assertRaises(AccessError):
             TestAccess.search(
                 [('reference.value', '=', 42, 'test.access.relate')])
+        with self.assertRaises(AccessError):
+            TestAccess.search([], order=[('relate.value', 'ASC')])
 
 
 class ModelFieldAccessWriteTestCase(_ModelFieldAccessTestCase):

Repository Layout

/ Tryton top level repositories
modules Modules
public Public repositories
tpf Tryton Foundation repositories
sandbox Sandbox