From eaad70daac22fd0fde1c63484b7f29eae6302e41 Mon Sep 17 00:00:00 2001 From: Denis Ledoux Date: Fri, 3 Apr 2015 12:40:57 +0200 Subject: [PATCH] [FIX] ir_attachment: upload of attachment for non-employees This rev. is related to eb9113c04d66627fbe04b473b9010e5de973c6aa if a model or a resource id is not defined on an attachment restrict access to employees only if the creator of this attachment is not the current user. So non-employees can access their attachments without models/resource id, which includes attachment of discussions threads. Fixes #4309 Closes #4310 --- openerp/addons/base/ir/ir_attachment.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openerp/addons/base/ir/ir_attachment.py b/openerp/addons/base/ir/ir_attachment.py index 6452b0d4f47..73bf8c94b43 100644 --- a/openerp/addons/base/ir/ir_attachment.py +++ b/openerp/addons/base/ir/ir_attachment.py @@ -197,10 +197,11 @@ class ir_attachment(osv.osv): if ids: if isinstance(ids, (int, long)): ids = [ids] - cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,)) - for rmod, rid in cr.fetchall(): + cr.execute('SELECT DISTINCT res_model, res_id, create_uid FROM ir_attachment WHERE id = ANY (%s)', (ids,)) + for rmod, rid, create_uid in cr.fetchall(): if not (rmod and rid): - require_employee = True + if create_uid != uid: + require_employee = True continue res_ids.setdefault(rmod,set()).add(rid) if values: