From 4e1f847c84e162445719182f260dbbd30091deed Mon Sep 17 00:00:00 2001 From: Fabien Pinckaers Date: Sat, 25 Jan 2014 15:05:13 +0100 Subject: [PATCH] [FIX] Security Fix + renaming of objects bzr revid: fp@tinyerp.com-20140125140513-rwcapq0j9hy9gczk --- addons/website_quotation/controllers/main.py | 5 ++- .../data/website_quotation_demo.xml | 8 ++-- addons/website_quotation/models/order.py | 43 +++++++++++++++---- .../security/ir.model.access.csv | 10 +++-- 4 files changed, 47 insertions(+), 19 deletions(-) diff --git a/addons/website_quotation/controllers/main.py b/addons/website_quotation/controllers/main.py index f7dd3a26e54..505d70919fc 100644 --- a/addons/website_quotation/controllers/main.py +++ b/addons/website_quotation/controllers/main.py @@ -37,7 +37,8 @@ class sale_quote(http.Controller): def view(self, order_id, token=None, message=False, **post): # use SUPERUSER_ID allow to access/view order for public user order = request.registry.get('sale.order').browse(request.cr, token and SUPERUSER_ID or request.uid, order_id) - if token: + print order.name + if token: assert token == order.access_token, 'Access denied!' body=_('Quotation viewed by customer') self.message_post(body, order_id, type='comment') @@ -57,7 +58,7 @@ class sale_quote(http.Controller): if not option.line_id: return True return False - + @http.route(['/quote/accept'], type='json', auth="public", website=True) def accept(self, order_id=None, token=None, signer=None, sign=None, **post): order_obj = request.registry.get('sale.order') diff --git a/addons/website_quotation/data/website_quotation_demo.xml b/addons/website_quotation/data/website_quotation_demo.xml index 0f50a152c99..52ae77b8754 100644 --- a/addons/website_quotation/data/website_quotation_demo.xml +++ b/addons/website_quotation/data/website_quotation_demo.xml @@ -459,8 +459,8 @@ - - + + Advanced CRM Functional 1 @@ -565,8 +565,8 @@ - - + + Functional Webinar 1 diff --git a/addons/website_quotation/models/order.py b/addons/website_quotation/models/order.py index aa79fbd80c7..7fa934cb192 100644 --- a/addons/website_quotation/models/order.py +++ b/addons/website_quotation/models/order.py @@ -32,7 +32,7 @@ class sale_quote_template(osv.osv): 'website_description': fields.html('Description'), 'quote_line': fields.one2many('sale.quote.line', 'quote_id', 'Quote Template Lines'), 'note': fields.text('Terms and conditions'), - 'options': fields.one2many('sale.option.line', 'temp_option_id', 'Optional Products Lines'), + 'options': fields.one2many('sale.option.line', 'template_id', 'Optional Products Lines'), 'number_of_days': fields.integer('Quotation Period Validity'), } @@ -43,7 +43,6 @@ class sale_quote_template(osv.osv): 'url': '/template/%d' % quote_id[0] } - class sale_quote_line(osv.osv): _name = "sale.quote.line" _description = "Quotation Template Lines" @@ -74,7 +73,7 @@ class sale_order_line(osv.osv): _description = "Sales Order Line" _columns = { 'website_description': fields.html('Line Description'), - 'option_line_id':fields.one2many('sale.option.line', 'line_id', 'Optional Products Lines'), + 'option_line_id':fields.one2many('sale.order.option', 'line_id', 'Optional Products Lines'), } def product_id_change(self, cr, uid, ids, pricelist, product, qty=0, uom=False, qty_uos=0, uos=False, name='', partner_id=False, lang=False, update_tax=True, date_order=False, packaging=False, fiscal_position=False, flag=False, context=None): res = super(sale_order_line, self).product_id_change(cr, uid, ids, pricelist, product, qty, uom, qty_uos, uos, name, partner_id, lang, update_tax, date_order, packaging, fiscal_position, flag, context) @@ -100,7 +99,7 @@ class sale_order(osv.osv): 'access_token': fields.char('Security Token', size=256, required=True), 'template_id': fields.many2one('sale.quote.template', 'Quote Template'), 'website_description': fields.html('Description'), - 'options' : fields.one2many('sale.option.line', 'option_id', 'Optional Products Lines'), + 'options' : fields.one2many('sale.order.option', 'order_id', 'Optional Products Lines'), 'signer_name': fields.char('Signer Name', size=256), 'validity_date': fields.date('Validity Date'), 'before_discount': fields.function(_get_total, string='Amount Before Discount', type="float") @@ -156,15 +155,42 @@ class sale_order(osv.osv): return products + +class sale_quote_option(osv.osv): + _name = "sale.quote.option" + _description = "Quote Option" + _columns = { + 'template_id': fields.many2one('sale.quote.template', 'Quotation Template Reference', ondelete='cascade', select=True, required=True), + 'name': fields.text('Description', required=True, translate=True), + 'product_id': fields.many2one('product.product', 'Product', domain=[('sale_ok', '=', True)]), + 'website_description': fields.html('Option Description', translate=True), + 'price_unit': fields.float('Unit Price', required=True), + 'discount': fields.float('Discount (%)'), + 'uom_id': fields.many2one('product.uom', 'Unit of Measure ', required=True), + 'quantity': fields.float('Quantity', required=True), + } + _defaults = { + 'quantity': 1, + } + def on_change_product_id(self, cr, uid, ids, product, context=None): + vals = {} + product_obj = self.pool.get('product.product').browse(cr, uid, product, context=context) + vals.update({ + 'price_unit': product_obj.list_price, + 'website_description': product_obj.product_tmpl_id.website_description, + 'name': product_obj.name, + 'uom_id': product_obj.product_tmpl_id.uom_id.id, + }) + return {'value': vals} + class sale_option_line(osv.osv): - _name = "sale.option.line" + _name = "sale.order.option" _description = "Sale Options" _columns = { - 'option_id': fields.many2one('sale.order', 'Sale Order Reference', ondelete='cascade', select=True), - 'temp_option_id': fields.many2one('sale.quote.template', 'Quotation Template Reference', ondelete='cascade', select=True), + 'order_id': fields.many2one('sale.order', 'Sale Order Reference', ondelete='cascade', select=True), 'line_id': fields.many2one('sale.order.line', on_delete="set null"), 'name': fields.text('Description', required=True), - 'product_id': fields.many2one('product.product', 'Product', domain=[('sale_ok', '=', True)], change_default=True), + 'product_id': fields.many2one('product.product', 'Product', domain=[('sale_ok', '=', True)]), 'website_description': fields.html('Line Description'), 'price_unit': fields.float('Unit Price', required=True), 'discount': fields.float('Discount (%)'), @@ -175,7 +201,6 @@ class sale_option_line(osv.osv): _defaults = { 'quantity': 1, } - def on_change_product_id(self, cr, uid, ids, product, context=None): vals = {} product_obj = self.pool.get('product.product').browse(cr, uid, product, context=context) diff --git a/addons/website_quotation/security/ir.model.access.csv b/addons/website_quotation/security/ir.model.access.csv index c4c444c6965..af64bf72e5a 100644 --- a/addons/website_quotation/security/ir.model.access.csv +++ b/addons/website_quotation/security/ir.model.access.csv @@ -1,5 +1,7 @@ id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink -access_sale_order_portal,sale.order.portal,model_sale_order,base.group_portal,1,1,1,0 -access_sale_order_public,sale.order.public,model_sale_order,base.group_public,1,1,1,0 -access_sale_order_line_public,sale.order.line.public,model_sale_order_line,base.group_public,1,1,1,0 -access_sale_options_line_public,sale.option.line.public,model_sale_option_line,base.group_public,1,1,1,0 +access_sale_quote_template,sale.quote.template,model_sale_quote_template,base.group_sale_salesman,1,0,0,0 +access_sale_quote_template_manager,sale.quote.template,model_sale_quote_template,base.group_sale_manager,1,1,1,1 +access_sale_quote_line,sale.quote.line,model_sale_quote_line,base.group_sale_salesman,1,0,0,0 +access_sale_quote_line_manager,sale.quote.line,model_sale_quote_line,base.group_sale_manager,1,1,1,1 +access_sale_quote_option,sale.quote.option,model_sale_quote_option,base.group_sale_salesman,1,0,0,0 +access_sale_quote_option_manager,sale.quote.option,model_sale_quote_option,base.group_sale_manager,1,1,1,1