[tryton-commits] changeset in trytond:default Ignore link of action that user can...

Thu, 28 May 2020 09:18:08 -0700 

changeset cb334e6fd66b in trytond:default
details: https://hg.tryton.org/trytond?cmd=changeset;node=cb334e6fd66b
description:
        Ignore link of action that user can not read

        We must also prevent the client to read link action for which the user 
has not
        read access.

        issue9364
        review305661002
diffstat:

 trytond/model/modelview.py      |   8 ++++++--
 trytond/tests/test_modelview.py |  26 ++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diffs (54 lines):

diff -r aff8066131c9 -r cb334e6fd66b trytond/model/modelview.py
--- a/trytond/model/modelview.py        Mon May 25 09:39:17 2020 +0200
+++ b/trytond/model/modelview.py        Thu May 28 18:17:40 2020 +0200
@@ -646,8 +646,12 @@
         if element.tag == 'link':
             link_name = element.attrib['name']
             action_id = ModelData.get_id(*link_name.split('.'))
-            action = ActionWindow(action_id)
-            if (not action.res_model
+            try:
+                action, = ActionWindow.search([('id', '=', action_id)])
+            except ValueError:
+                action = None
+            if (not action
+                    or not action.res_model
                     or not ModelAccess.check(
                         action.res_model, 'read', raise_exception=False)):
                 element.tag = 'label'
diff -r aff8066131c9 -r cb334e6fd66b trytond/tests/test_modelview.py
--- a/trytond/tests/test_modelview.py   Mon May 25 09:39:17 2020 +0200
+++ b/trytond/tests/test_modelview.py   Thu May 28 18:17:40 2020 +0200
@@ -420,6 +420,32 @@
         self.assertTrue(labels)
 
     @with_transaction()
+    def test_link_without_action_access(self):
+        "Test link in view without action access"
+        pool = Pool()
+        TestModel = pool.get('test.modelview.link')
+        ActionWindow = pool.get('ir.action.act_window')
+        Group = pool.get('res.group')
+        ActionGroup = pool.get('ir.action-res.group')
+
+        group = Group(name="Group")
+        group.save()
+        action_window, = ActionWindow.search(
+            [('res_model', '=', 'test.modelview.link.target')])
+        ActionGroup(
+            action=action_window.action,
+            group=group).save()
+
+        arch = TestModel.fields_view_get()['arch']
+        parser = etree.XMLParser()
+        tree = etree.fromstring(arch, parser=parser)
+        links = tree.xpath('//link')
+        labels = tree.xpath('//label')
+
+        self.assertFalse(links)
+        self.assertTrue(labels)
+
+    @with_transaction()
     def test_rpc_setup(self):
         "Testing the computation of the RPC methods"
         pool = Pool()

Reply via email to