Mercurial > trytond
changeset 6827:f58bbfe0aefb
Check read access on field in search order
issue8189
review279061002
| author | Cédric Krier <ced@b2ck.com> |
|---|---|
| date | Tue, 02 Apr 2019 19:01:33 +0200 |
| parents | 9be9a74cf3bd |
| children | e71764e0ec1b |
| files | CHANGELOG trytond/model/modelstorage.py trytond/tests/test_access.py |
| diffstat | 3 files changed, 24 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGELOG Sun Mar 31 00:15:10 2019 +0100 +++ b/CHANGELOG Tue Apr 02 19:01:33 2019 +0200 @@ -1,3 +1,4 @@ +* Check read access on field in search order (issue8189) * Add base64 converter to URL map * Add HTML widget * Support import of native numeric, date and datetime data
--- a/trytond/model/modelstorage.py Sun Mar 31 00:15:10 2019 +0100 +++ b/trytond/model/modelstorage.py Tue Apr 02 19:01:33 2019 +0200 @@ -438,7 +438,7 @@ ModelAccess.check(cls.__name__, 'read') - def check(domain, cls, to_check): + def check_domain(domain, cls, to_check): if is_leaf(domain): local, relate = (domain[0].split('.', 1) + [None])[:2] to_check[cls.__name__].add(local) @@ -448,16 +448,29 @@ else: target = cls._fields[local].get_target() target_domain = [(relate,) + tuple(domain[1:])] - check(target_domain, target, to_check) + check_domain(target_domain, target, to_check) elif not domain: return else: i = 1 if domain[0] in ['OR', 'AND'] else 0 for d in domain[i:]: - check(d, cls, to_check) + check_domain(d, cls, to_check) + + def check_order(order, cls, to_check): + if not order: + return + for oexpr, otype in order: + local, _, relate = oexpr.partition('.') + to_check[cls.__name__].add(local) + if relate: + target = cls._fields[local].get_target() + target_order = [(relate, otype)] + check_order(target_order, target, to_check) + if transaction.user and transaction.context.get('_check_access'): to_check = defaultdict(set) - check(domain, cls, to_check) + check_domain(domain, cls, to_check) + check_order(order, cls, to_check) for name, fields_names in to_check.items(): ModelAccess.check(name, 'read') ModelFieldAccess.check(name, fields_names, 'read')
--- a/trytond/tests/test_access.py Sun Mar 31 00:15:10 2019 +0100 +++ b/trytond/tests/test_access.py Tue Apr 02 19:01:33 2019 +0200 @@ -299,6 +299,7 @@ TestAccess.read([record.id], ['relate.value']) TestAccess.search([('relate.value', '=', 42)]) TestAccess.search([('reference.value', '=', 42, 'test.access.relate')]) + TestAccess.search([], order=[('relate.value', 'ASC')]) @with_transaction(context=_context) def test_no_access_relate(self): @@ -321,6 +322,8 @@ with self.assertRaises(AccessError): TestAccess.search( [('reference.value', '=', 42, 'test.access.relate')]) + with self.assertRaises(AccessError): + TestAccess.search([], order=[('relate.value', 'ASC')]) class ModelAccessWriteTestCase(_ModelAccessTestCase): @@ -858,6 +861,7 @@ TestAccess.search([('relate.value', '=', 42)]) TestAccess.search([('reference.value', '=', 42, 'test.access.relate')]) + TestAccess.search([], order=[('relate.value', 'ASC')]) @with_transaction(context=_context) def test_no_access_search_relate(self): @@ -880,6 +884,8 @@ with self.assertRaises(AccessError): TestAccess.search( [('reference.value', '=', 42, 'test.access.relate')]) + with self.assertRaises(AccessError): + TestAccess.search([], order=[('relate.value', 'ASC')]) class ModelFieldAccessWriteTestCase(_ModelFieldAccessTestCase):
