1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
Description: Check read access of report records.
This patch is part of the fix for
https://discuss.tryton.org/t/security-release-for-issues-13505-and-13506/7846
get_groups does not always returns the group of the action.
When the method is called with access checked as there is a record rule on ir.action,
the method returns an empty set of group ids. This is because no actions were found
if the user does not share a group. This makes that check access of Report and Wizard
never raise an error.
Author: Cédric Krier <cedric.krier@b2ck.com>
Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13506
--- a/trytond/res/ir.py
+++ b/trytond/res/ir.py
@@ -3,6 +3,7 @@
from trytond.model import ModelSQL, DeactivableMixin, fields
from trytond.pool import Pool, PoolMeta
from trytond.pyson import Eval
+from trytond.transaction import Transaction
class UIMenuGroup(ModelSQL):
@@ -85,15 +86,16 @@
@classmethod
def get_groups(cls, name, action_id=None):
- # TODO add cache
- domain = [
- (cls._action_name, '=', name),
- ]
- if action_id:
- domain.append(('id', '=', action_id))
- actions = cls.search(domain)
- groups = {g.id for a in actions for g in a.groups}
- return groups
+ with Transaction().set_context(_check_access=False):
+ # TODO add cache
+ domain = [
+ (cls._action_name, '=', name),
+ ]
+ if action_id:
+ domain.append(('id', '=', action_id))
+ actions = cls.search(domain)
+ groups = {g.id for a in actions for g in a.groups}
+ return groups
class ActionReport(ActionMixin):
|
