[tryton-commits] changeset in trytond:4.4 Check read access on field in search order

Tue, 02 Apr 2019 10:08:08 -0700 

changeset afae3dc25291 in trytond:4.4
details: https://hg.tryton.org/trytond?cmd=changeset;node=afae3dc25291
description:
        Check read access on field in search order

        issue8189
        review279061002
        (grafted from f58bbfe0aefba43f143d68902355ab6b6e91022d)
diffstat:

 CHANGELOG                     |   2 ++
 trytond/model/modelstorage.py |  21 +++++++++++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diffs (54 lines):

diff -r 9a07ef0635f4 -r afae3dc25291 CHANGELOG
--- a/CHANGELOG Fri Mar 22 18:25:52 2019 +0100
+++ b/CHANGELOG Tue Apr 02 19:01:33 2019 +0200
@@ -1,3 +1,5 @@
+* Check read access on field in search order (issue8189)
+
 Version 4.4.18 - 2019-02-19
 * Bug fixes (see mercurial logs for details)
 
diff -r 9a07ef0635f4 -r afae3dc25291 trytond/model/modelstorage.py
--- a/trytond/model/modelstorage.py     Fri Mar 22 18:25:52 2019 +0100
+++ b/trytond/model/modelstorage.py     Tue Apr 02 19:01:33 2019 +0200
@@ -383,7 +383,7 @@
 
         ModelAccess.check(cls.__name__, 'read')
 
-        def check(domain, cls, to_check):
+        def check_domain(domain, cls, to_check):
             if is_leaf(domain):
                 local, relate = (domain[0].split('.', 1) + [None])[:2]
                 to_check[cls.__name__].add(local)
@@ -393,16 +393,29 @@
                     else:
                         target = cls._fields[local].get_target()
                     target_domain = [(relate,) + tuple(domain[1:])]
-                    check(target_domain, target, to_check)
+                    check_domain(target_domain, target, to_check)
             elif not domain:
                 return
             else:
                 i = 1 if domain[0] in ['OR', 'AND'] else 0
                 for d in domain[i:]:
-                    check(d, cls, to_check)
+                    check_domain(d, cls, to_check)
+
+        def check_order(order, cls, to_check):
+            if not order:
+                return
+            for oexpr, otype in order:
+                local, _, relate = oexpr.partition('.')
+                to_check[cls.__name__].add(local)
+                if relate:
+                    target = cls._fields[local].get_target()
+                    target_order = [(relate, otype)]
+                    check_order(target_order, target, to_check)
+
         if transaction.user and transaction.context.get('_check_access'):
             to_check = defaultdict(set)
-            check(domain, cls, to_check)
+            check_domain(domain, cls, to_check)
+            check_order(order, cls, to_check)
             for name, fields_names in to_check.items():
                 ModelAccess.check(name, 'read')
                 ModelFieldAccess.check(name, fields_names, 'read')

Reply via email to