From aa9e542129109a81fd5c3e5330cc238f87b8c554 Mon Sep 17 00:00:00 2001 From: david Date: Mon, 26 Apr 2021 12:47:29 +0200 Subject: [PATCH] [FIX] website_rma: controller implementation It was assumed that this method (used for any model) always had an RMA in return, which wasn't correct at all and could lead to cross-model and cross-customer subscripting if an RMA id matched the one of the form model creating (eg.: `crm.lead` in 'Contact Us' form) --- website_rma/controllers/main.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/website_rma/controllers/main.py b/website_rma/controllers/main.py index bf365282..54e51a02 100644 --- a/website_rma/controllers/main.py +++ b/website_rma/controllers/main.py @@ -9,11 +9,11 @@ from odoo.http import request class WebsiteForm(WebsiteForm): def insert_record(self, request, model, values, custom, meta=None): - if model.model == 'rma': - values['partner_id'] = request.env.user.partner_id.id - values['origin'] = 'Website form' - res = super(WebsiteForm, self).insert_record( - request, model, values, custom, meta) + if model.model != 'rma': + return super().insert_record(request, model, values, custom, meta) + values['partner_id'] = request.env.user.partner_id.id + values['origin'] = 'Website form' + res = super().insert_record(request, model, values, custom, meta) # Add the customer to the followers, the same as when creating # an RMA from a sales order in the portal. rma = request.env['rma'].browse(res).sudo()