← Back to branch summary

~bitglue/openobject-server/packaging

« back to all changes in this revision

Viewing changes to openerp/osv/orm.py

  • Committer: Raphael Collet
  • Date: 2012-12-17 10:15:28 UTC
  • mfrom: (4672.4.7 trunk-acl-thu)
  • Revision ID: rco@openerp.com-20121217101528-nt5hsjvvodaap57m
[MERGE] trunk-acl-thu (check read/write access restrictions on fields with a groups attribute)

Show diffs side-by-side

added added

removed removed

Lines of Context:
openerp/osv/orm.py
3537
3537
 
3538
3538
        return res
3539
3539
 
 
3540
    def check_field_access_rights(self, cr, user, operation, fields, context=None):
 
3541
        """
 
3542
        Check the user access rights on the given fields. This raises Access
 
3543
        Denied if the user does not have the rights. Otherwise it returns the
 
3544
        fields (as is if the fields is not falsy, or the readable/writable
 
3545
        fields if fields is falsy).
 
3546
        """
 
3547
        def p(field_name):
 
3548
            """Predicate to test if the user has access to the given field name."""
 
3549
            # Ignore requested field if it doesn't exist. This is ugly but
 
3550
            # it seems to happen at least with 'name_alias' on res.partner.
 
3551
            if field_name not in self._all_columns:
 
3552
                return True
 
3553
            field = self._all_columns[field_name].column
 
3554
            if field.groups:
 
3555
                return self.user_has_groups(cr, user, groups=field.groups, context=context)
 
3556
            else:
 
3557
                return True
 
3558
        if not fields:
 
3559
            fields = filter(p, self._all_columns.keys())
 
3560
        else:
 
3561
            filtered_fields = filter(lambda a: not p(a), fields)
 
3562
            if filtered_fields:
 
3563
                _logger.warning('Access Denied by ACLs for operation: %s, uid: %s, model: %s, fields: %s', operation, user, self._name, ', '.join(filtered_fields))
 
3564
                raise except_orm(
 
3565
                    _('Access Denied'),
 
3566
                    _('The requested operation cannot be completed due to security restrictions. '
 
3567
                    'Please contact your system administrator.\n\n(Document type: %s, Operation: %s)') % \
 
3568
                    (self._description, operation))
 
3569
        return fields
 
3570
 
3540
3571
    def read(self, cr, user, ids, fields=None, context=None, load='_classic_read'):
3541
3572
        """ Read records with given ids with the given fields
3542
3573
 
3562
3593
        if not context:
3563
3594
            context = {}
3564
3595
        self.check_access_rights(cr, user, 'read')
3565
 
        if not fields:
3566
 
            fields = list(set(self._columns.keys() + self._inherit_fields.keys()))
 
3596
        fields = self.check_field_access_rights(cr, user, 'read', fields)
3567
3597
        if isinstance(ids, (int, long)):
3568
3598
            select = [ids]
3569
3599
        else:
4020
4050
 
4021
4051
        """
4022
4052
        readonly = None
 
4053
        self.check_field_access_rights(cr, user, 'write', vals.keys())
4023
4054
        for field in vals.copy():
4024
4055
            fobj = None
4025
4056
            if field in self._columns: