Merge pull request #25 from jobrad-gmbh/JRAD-2653-Pentest-Finding-Handle-attachments-correctly-for-permissions

jhelfferich · web-flow · commit 5b1d766be333 · 2024-10-24T15:15:22.000+02:00
JRAD-2653 Restore checks
diff --git a/addons/snailmail/tests/test_attachment_access.py b/addons/snailmail/tests/test_attachment_access.py
@@ -52,8 +52,8 @@ def test_user_letter_attachment_without_res_fields_created_by_admin(self):
 
         # As user, ensure the attachment itself cannot be read
         attachment.invalidate_cache()
-        # with self.assertRaises(AccessError):       # JobRad: We have temporarily deactivated the access check
-        attachment.with_user(self.user).datas        # JobRad: on attachments without res_fields.
+        with self.assertRaises(AccessError):
+            attachment.with_user(self.user).datas
         # But, as user, the content of the attachment can be read through the letter
         self.assertEqual(base64.b64decode(letter.with_user(self.user).attachment_datas), b'foo')
 
@@ -64,9 +64,8 @@ def test_user_letter_attachment_without_res_fields_created_by_admin(self):
 
         # As user ensure the attachment itself cannot be read
         attachment.invalidate_cache()
-        # JobRad: We have temporarily deactivated the access check on attachments without res_fields.
-        # with self.assertRaises(AccessError):    # JobRad
-        self.assertEqual(base64.b64decode(attachment.with_user(self.user).datas), b'bar')  # JobRad
+        with self.assertRaises(AccessError):
+            self.assertEqual(base64.b64decode(attachment.with_user(self.user).datas), b'bar')
         # But, as user, the content of the attachment can be read through the letter
         self.assertEqual(base64.b64decode(letter.with_user(self.user).attachment_datas), b'bar')
 
diff --git a/odoo/addons/base/models/ir_attachment.py b/odoo/addons/base/models/ir_attachment.py
@@ -429,10 +429,10 @@ def check(self, mode, values=None):
             self.env['ir.attachment'].flush(['res_model', 'res_id', 'create_uid', 'public', 'res_field'])
             self._cr.execute('SELECT res_model, res_id, create_uid, public, res_field FROM ir_attachment WHERE id IN %s', [tuple(self.ids)])
             for res_model, res_id, create_uid, public, res_field in self._cr.fetchall():
-                if not self.env.is_system() and res_field:
-                    raise AccessError(_("Sorry, you are not allowed to access this document."))
                 if public and mode == 'read':
                     continue
+                if not self.env.is_system() and (res_field or (not res_id and create_uid != self.env.uid)):
+                    raise AccessError(_("Sorry, you are not allowed to access this document."))
                 if not (res_model and res_id):
                     continue
                 model_ids[res_model].add(res_id)
