details:   https://code.tryton.org/tryton/commit/eb3ec477d09b
branch:    default
user:      Cédric Krier <[email protected]>
date:      Tue Jun 23 22:03:36 2026 +0200
description:
        Use rule check to enforce read access on report ids
diffstat:

 trytond/trytond/report/report.py     |   5 ++---
 trytond/trytond/tests/test_report.py |  17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 4 deletions(-)

diffs (59 lines):

diff -r 856dea6dca76 -r eb3ec477d09b trytond/trytond/report/report.py
--- a/trytond/trytond/report/report.py  Tue Jun 23 22:03:06 2026 +0200
+++ b/trytond/trytond/report/report.py  Tue Jun 23 22:03:36 2026 +0200
@@ -148,6 +148,7 @@
         User = pool.get('res.user')
         Group = pool.get('res.group')
         ModelAccess = pool.get('ir.model.access')
+        Rule = pool.get('ir.rule')
 
         if Transaction().user == 0:
             return
@@ -166,10 +167,8 @@
                         groups=', '.join(g.rec_name for g in groups)))
 
             if model:
-                Model = pool.get(model)
                 ModelAccess.check(model, 'read')
-                # Check read access
-                Model.read(ids, ['id'])
+                Rule.check(model, ids)
 
     @classmethod
     def header_key(cls, record, data):
diff -r 856dea6dca76 -r eb3ec477d09b trytond/trytond/tests/test_report.py
--- a/trytond/trytond/tests/test_report.py      Tue Jun 23 22:03:06 2026 +0200
+++ b/trytond/trytond/tests/test_report.py      Tue Jun 23 22:03:36 2026 +0200
@@ -1,6 +1,7 @@
 # This file is part of Tryton.  The COPYRIGHT file at the top level of
 # this repository contains the full copyright notices and license terms.
 import datetime
+import json
 import unittest
 from email.message import EmailMessage
 from unittest.mock import Mock, patch
@@ -89,9 +90,23 @@
         "Execute report without read access"
         pool = Pool()
         Report = pool.get('test.test_report', type='report')
+        Model = pool.get('test.access')
+        RuleGroup = pool.get('ir.rule.group')
+
+        record, = Model.create([{'field1': 'foo'}])
+        rule_group, = RuleGroup.create([{
+                    'name': "Field different from foo",
+                    'model': Model.__name__,
+                    'global_p': True,
+                    'perm_read': True,
+                    'rules': [('create', [{
+                                    'domain': json.dumps(
+                                        [('field1', '!=', 'foo')]),
+                                    }])],
+                    }])
 
         with self.assertRaises(AccessError):
-            Report.execute([1], {'model': 'test.access'})
+            Report.execute([record.id], {'model': 'test.access'})
 
     @unittest.skipUnless(mrml, "required mrml")
     @with_transaction()

Reply via email to