audrius/manufacture
1
0
Fork 0
mirror of https://github.com/OCA/manufacture.git synced 2025-01-28 16:37:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

[FIX] security issues:

Browse Source 
* Some manager can't access all records.
* Interfering purchase_request_procurement
This commit is contained in:
lreficent
2017-07-27 11:01:05 +02:00
committed by Chandresh Thakkar
parent 774d28df42
commit 3610d75aab
3 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
mrp_production_request/models/procurement.py
View File

@@ -43,13 +43,13 @@ class ProcurementOrder(models.Model):
result = super(ProcurementOrder, self).propagate_cancels()
for procurement in self:
mrp_production_requests = \
self.env['mrp.production.request'].search([
self.env['mrp.production.request'].sudo().search([
('procurement_id', '=', procurement.id)])
if mrp_production_requests and not self.env.context.get(
'from_mrp_production_request'):
mrp_production_requests.button_cancel()
mrp_production_requests.sudo().button_cancel()
for mr in mrp_production_requests:
mr.message_post(
mr.sudo().message_post(
body=_("Related procurement has been cancelled."))
procurement.write({'mrp_production_request_id': None})
return result

2
mrp_production_request/security/ir.model.access.csv
View File

@@ -1,3 +1,3 @@
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_mrp_production_request_user,mrp.request.user,model_mrp_production_request,group_mrp_production_request_user,1,1,1,1
access_mrp_production_request_user,mrp.request.user,model_mrp_production_request,group_mrp_production_request_user,1,1,1,0
access_mrp_production_request_manager,mrp.request.manager,model_mrp_production_request,group_mrp_production_request_manager,1,1,1,1
1 id name model_id:id group_id:id perm_read perm_write perm_create perm_unlink
2 access_mrp_production_request_user mrp.request.user model_mrp_production_request group_mrp_production_request_user 1 1 1 1 0
3 access_mrp_production_request_manager mrp.request.manager model_mrp_production_request group_mrp_production_request_manager 1 1 1 1

10
mrp_production_request/security/mrp_production_request_security.xml
View File

@@ -59,5 +59,15 @@
<field name="domain_force">[('requested_by','=',user.id)]</field>
</record>
<record id="mpr_production_request_line_manager_rule" model="ir.rule">
<field name="name">Manufacturing Request Line Manager</field>
<field name="model_id" ref="model_mrp_production_request"/>
<field name="groups" eval="[(6,0, [ref('group_mrp_production_request_manager')])]"/>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="True"/>
<field name="perm_create" eval="True"/>
<field name="perm_unlink" eval="True"/>
</record>
</data>
</odoo>