[FIX] Security Fix + renaming of objects
bzr revid: fp@tinyerp.com-20140125140513-rwcapq0j9hy9gczk
This commit is contained in:
Fabien Pinckaers
parent
b15dbfa3a6
commit
4e1f847c84
|
|
@ -37,7 +37,8 @@ class sale_quote(http.Controller):
|
|||
def view(self, order_id, token=None, message=False, **post):
|
||||
# use SUPERUSER_ID allow to access/view order for public user
|
||||
order = request.registry.get('sale.order').browse(request.cr, token and SUPERUSER_ID or request.uid, order_id)
|
||||
if token:
|
||||
print order.name
|
||||
if token:
|
||||
assert token == order.access_token, 'Access denied!'
|
||||
body=_('Quotation viewed by customer')
|
||||
self.message_post(body, order_id, type='comment')
|
||||
|
|
@ -57,7 +58,7 @@ class sale_quote(http.Controller):
|
|||
if not option.line_id:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
@http.route(['/quote/accept'], type='json', auth="public", website=True)
|
||||
def accept(self, order_id=None, token=None, signer=None, sign=None, **post):
|
||||
order_obj = request.registry.get('sale.order')
|
||||
|
|
|
|||
|
|
@ -459,8 +459,8 @@
|
|||
</field>
|
||||
</record>
|
||||
|
||||
<record id="website_sale_option_line_1" model="sale.option.line">
|
||||
<field name="temp_option_id" ref="website_quote_template_1"/>
|
||||
<record id="website_sale_option_line_1" model="sale.quote.option">
|
||||
<field name="template_id" ref="website_quote_template_1"/>
|
||||
<field name="name">Advanced CRM Functional</field>
|
||||
<field name="product_id" ref="product_product_quote_3"/>
|
||||
<field name="product_uom_qty">1</field>
|
||||
|
|
@ -565,8 +565,8 @@
|
|||
</field>
|
||||
</record>
|
||||
|
||||
<record id="website_sale_option_line_2" model="sale.option.line">
|
||||
<field name="temp_option_id" ref="website_quote_template_1"/>
|
||||
<record id="website_sale_option_line_2" model="sale.quote.option">
|
||||
<field name="template_id" ref="website_quote_template_1"/>
|
||||
<field name="name">Functional Webinar</field>
|
||||
<field name="product_id" ref="product_product_quote_4"/>
|
||||
<field name="product_uom_qty">1</field>
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ class sale_quote_template(osv.osv):
|
|||
'website_description': fields.html('Description'),
|
||||
'quote_line': fields.one2many('sale.quote.line', 'quote_id', 'Quote Template Lines'),
|
||||
'note': fields.text('Terms and conditions'),
|
||||
'options': fields.one2many('sale.option.line', 'temp_option_id', 'Optional Products Lines'),
|
||||
'options': fields.one2many('sale.option.line', 'template_id', 'Optional Products Lines'),
|
||||
'number_of_days': fields.integer('Quotation Period Validity'),
|
||||
}
|
||||
|
||||
|
|
@ -43,7 +43,6 @@ class sale_quote_template(osv.osv):
|
|||
'url': '/template/%d' % quote_id[0]
|
||||
}
|
||||
|
||||
|
||||
class sale_quote_line(osv.osv):
|
||||
_name = "sale.quote.line"
|
||||
_description = "Quotation Template Lines"
|
||||
|
|
@ -74,7 +73,7 @@ class sale_order_line(osv.osv):
|
|||
_description = "Sales Order Line"
|
||||
_columns = {
|
||||
'website_description': fields.html('Line Description'),
|
||||
'option_line_id':fields.one2many('sale.option.line', 'line_id', 'Optional Products Lines'),
|
||||
'option_line_id':fields.one2many('sale.order.option', 'line_id', 'Optional Products Lines'),
|
||||
}
|
||||
def product_id_change(self, cr, uid, ids, pricelist, product, qty=0, uom=False, qty_uos=0, uos=False, name='', partner_id=False, lang=False, update_tax=True, date_order=False, packaging=False, fiscal_position=False, flag=False, context=None):
|
||||
res = super(sale_order_line, self).product_id_change(cr, uid, ids, pricelist, product, qty, uom, qty_uos, uos, name, partner_id, lang, update_tax, date_order, packaging, fiscal_position, flag, context)
|
||||
|
|
@ -100,7 +99,7 @@ class sale_order(osv.osv):
|
|||
'access_token': fields.char('Security Token', size=256, required=True),
|
||||
'template_id': fields.many2one('sale.quote.template', 'Quote Template'),
|
||||
'website_description': fields.html('Description'),
|
||||
'options' : fields.one2many('sale.option.line', 'option_id', 'Optional Products Lines'),
|
||||
'options' : fields.one2many('sale.order.option', 'order_id', 'Optional Products Lines'),
|
||||
'signer_name': fields.char('Signer Name', size=256),
|
||||
'validity_date': fields.date('Validity Date'),
|
||||
'before_discount': fields.function(_get_total, string='Amount Before Discount', type="float")
|
||||
|
|
@ -156,15 +155,42 @@ class sale_order(osv.osv):
|
|||
return products
|
||||
|
||||
|
||||
|
||||
class sale_quote_option(osv.osv):
|
||||
_name = "sale.quote.option"
|
||||
_description = "Quote Option"
|
||||
_columns = {
|
||||
'template_id': fields.many2one('sale.quote.template', 'Quotation Template Reference', ondelete='cascade', select=True, required=True),
|
||||
'name': fields.text('Description', required=True, translate=True),
|
||||
'product_id': fields.many2one('product.product', 'Product', domain=[('sale_ok', '=', True)]),
|
||||
'website_description': fields.html('Option Description', translate=True),
|
||||
'price_unit': fields.float('Unit Price', required=True),
|
||||
'discount': fields.float('Discount (%)'),
|
||||
'uom_id': fields.many2one('product.uom', 'Unit of Measure ', required=True),
|
||||
'quantity': fields.float('Quantity', required=True),
|
||||
}
|
||||
_defaults = {
|
||||
'quantity': 1,
|
||||
}
|
||||
def on_change_product_id(self, cr, uid, ids, product, context=None):
|
||||
vals = {}
|
||||
product_obj = self.pool.get('product.product').browse(cr, uid, product, context=context)
|
||||
vals.update({
|
||||
'price_unit': product_obj.list_price,
|
||||
'website_description': product_obj.product_tmpl_id.website_description,
|
||||
'name': product_obj.name,
|
||||
'uom_id': product_obj.product_tmpl_id.uom_id.id,
|
||||
})
|
||||
return {'value': vals}
|
||||
|
||||
class sale_option_line(osv.osv):
|
||||
_name = "sale.option.line"
|
||||
_name = "sale.order.option"
|
||||
_description = "Sale Options"
|
||||
_columns = {
|
||||
'option_id': fields.many2one('sale.order', 'Sale Order Reference', ondelete='cascade', select=True),
|
||||
'temp_option_id': fields.many2one('sale.quote.template', 'Quotation Template Reference', ondelete='cascade', select=True),
|
||||
'order_id': fields.many2one('sale.order', 'Sale Order Reference', ondelete='cascade', select=True),
|
||||
'line_id': fields.many2one('sale.order.line', on_delete="set null"),
|
||||
'name': fields.text('Description', required=True),
|
||||
'product_id': fields.many2one('product.product', 'Product', domain=[('sale_ok', '=', True)], change_default=True),
|
||||
'product_id': fields.many2one('product.product', 'Product', domain=[('sale_ok', '=', True)]),
|
||||
'website_description': fields.html('Line Description'),
|
||||
'price_unit': fields.float('Unit Price', required=True),
|
||||
'discount': fields.float('Discount (%)'),
|
||||
|
|
@ -175,7 +201,6 @@ class sale_option_line(osv.osv):
|
|||
_defaults = {
|
||||
'quantity': 1,
|
||||
}
|
||||
|
||||
def on_change_product_id(self, cr, uid, ids, product, context=None):
|
||||
vals = {}
|
||||
product_obj = self.pool.get('product.product').browse(cr, uid, product, context=context)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
|
||||
access_sale_order_portal,sale.order.portal,model_sale_order,base.group_portal,1,1,1,0
|
||||
access_sale_order_public,sale.order.public,model_sale_order,base.group_public,1,1,1,0
|
||||
access_sale_order_line_public,sale.order.line.public,model_sale_order_line,base.group_public,1,1,1,0
|
||||
access_sale_options_line_public,sale.option.line.public,model_sale_option_line,base.group_public,1,1,1,0
|
||||
access_sale_quote_template,sale.quote.template,model_sale_quote_template,base.group_sale_salesman,1,0,0,0
|
||||
access_sale_quote_template_manager,sale.quote.template,model_sale_quote_template,base.group_sale_manager,1,1,1,1
|
||||
access_sale_quote_line,sale.quote.line,model_sale_quote_line,base.group_sale_salesman,1,0,0,0
|
||||
access_sale_quote_line_manager,sale.quote.line,model_sale_quote_line,base.group_sale_manager,1,1,1,1
|
||||
access_sale_quote_option,sale.quote.option,model_sale_quote_option,base.group_sale_salesman,1,0,0,0
|
||||
access_sale_quote_option_manager,sale.quote.option,model_sale_quote_option,base.group_sale_manager,1,1,1,1
|
||||
|
|
|
|||
|
Loading…
Reference in New Issue