[tryton-commits] changeset in trytond:5.6 Ignore link of action that user can not...

Sun, 07 Jun 2020 14:20:20 -0700 

changeset a3e779de8660 in trytond:5.6
details: https://hg.tryton.org/trytond?cmd=changeset;node=a3e779de8660
description:
        Ignore link of action that user can not read

        We must also prevent the client to read link action for which the user 
has not
        read access.

        issue9364
        review305661002
        (grafted from cb334e6fd66b438ae6f7a31cf92c0eac6fba520b)
diffstat:

 trytond/model/modelview.py      |   8 ++++++--
 trytond/tests/test_modelview.py |  26 ++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diffs (54 lines):

diff -r f646250fe042 -r a3e779de8660 trytond/model/modelview.py
--- a/trytond/model/modelview.py        Wed Jun 03 22:12:27 2020 +0200
+++ b/trytond/model/modelview.py        Thu May 28 18:17:40 2020 +0200
@@ -641,8 +641,12 @@
         if element.tag == 'link':
             link_name = element.attrib['name']
             action_id = ModelData.get_id(*link_name.split('.'))
-            action = ActionWindow(action_id)
-            if (not action.res_model
+            try:
+                action, = ActionWindow.search([('id', '=', action_id)])
+            except ValueError:
+                action = None
+            if (not action
+                    or not action.res_model
                     or not ModelAccess.check(
                         action.res_model, 'read', raise_exception=False)):
                 element.tag = 'label'
diff -r f646250fe042 -r a3e779de8660 trytond/tests/test_modelview.py
--- a/trytond/tests/test_modelview.py   Wed Jun 03 22:12:27 2020 +0200
+++ b/trytond/tests/test_modelview.py   Thu May 28 18:17:40 2020 +0200
@@ -420,6 +420,32 @@
         self.assertTrue(labels)
 
     @with_transaction()
+    def test_link_without_action_access(self):
+        "Test link in view without action access"
+        pool = Pool()
+        TestModel = pool.get('test.modelview.link')
+        ActionWindow = pool.get('ir.action.act_window')
+        Group = pool.get('res.group')
+        ActionGroup = pool.get('ir.action-res.group')
+
+        group = Group(name="Group")
+        group.save()
+        action_window, = ActionWindow.search(
+            [('res_model', '=', 'test.modelview.link.target')])
+        ActionGroup(
+            action=action_window.action,
+            group=group).save()
+
+        arch = TestModel.fields_view_get()['arch']
+        parser = etree.XMLParser()
+        tree = etree.fromstring(arch, parser=parser)
+        links = tree.xpath('//link')
+        labels = tree.xpath('//label')
+
+        self.assertFalse(links)
+        self.assertTrue(labels)
+
+    @with_transaction()
     def test_rpc_setup(self):
         "Testing the computation of the RPC methods"
         pool = Pool()

Reply via email to