odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] mail: re-apply security fix correctly from 9812 revid:mat@openerp.com-20140206121438-epghqo042ync24v5 of 7.0 branch 

bzr revid: dle@openerp.com-20140206170829-918bxb88qh415w9e
This commit is contained in:
Denis Ledoux 2014-02-06 18:08:29 +01:00
parent 8e4279835b
commit 15c105d95f
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
addons/mail/mail_thread.py
View File

@ -1506,15 +1506,14 @@ class mail_thread(osv.AbstractModel):
user_pid = self.pool.get('res.users').browse(cr, uid, uid, context=context).partner_id.id
if set(partner_ids) == set([user_pid]):
if context.get('operation', '') != 'create':
try:
self.check_access_rights(cr, uid, 'read')
if context.get('operation', '') == 'create':
self.check_access_rule(cr, uid, ids, 'create')
else:
self.check_access_rule(cr, uid, ids, 'read')
except (osv.except_osv, orm.except_orm):
return False
try:
self.check_access_rights(cr, uid, 'read')
if context.get('operation', '') == 'create':
self.check_access_rule(cr, uid, ids, 'create')
else:
self.check_access_rule(cr, uid, ids, 'read')
except (osv.except_osv, orm.except_orm):
return False
else:
self.check_access_rights(cr, uid, 'write')
self.check_access_rule(cr, uid, ids, 'write')