From 2cd032d44763396a3fd71bfe310758bd84fac43e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= Date: Sun, 3 Dec 2023 16:35:17 +0100 Subject: [PATCH] [FIX] add a few missing sudo to fs_attachment fs.storage is protected as it contains credentials. It must be accessed sudo when needed for regular users manipulating ir.attachments. --- fs_attachment/models/fs_storage.py | 10 +++++----- fs_attachment/models/ir_attachment.py | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fs_attachment/models/fs_storage.py b/fs_attachment/models/fs_storage.py index 39ea401f72..c7ac100da1 100644 --- a/fs_attachment/models/fs_storage.py +++ b/fs_attachment/models/fs_storage.py @@ -357,7 +357,7 @@ def get_force_db_for_default_attachment_rules(self, code): and the value is the limit in size below which attachments are kept in DB. 0 means no limit. """ - storage = self.get_by_code(code) + storage = self.sudo().get_by_code(code) if ( storage and storage.use_as_default_for_attachments @@ -369,17 +369,17 @@ def get_force_db_for_default_attachment_rules(self, code): @api.model @tools.ormcache("code") def _must_optimize_directory_path(self, code): - return self.get_by_code(code).optimizes_directory_path + return self.sudo().get_by_code(code).optimizes_directory_path @api.model @tools.ormcache("code") def _must_autovacuum_gc(self, code): - return self.get_by_code(code).autovacuum_gc + return self.sudo().get_by_code(code).autovacuum_gc @api.model @tools.ormcache("code") def _must_use_filename_obfuscation(self, code): - return self.get_by_code(code).use_filename_obfuscation + return self.sudo().get_by_code(code).use_filename_obfuscation @api.depends("base_url", "is_directory_path_in_url") def _compute_base_url_for_files(self): @@ -401,7 +401,7 @@ def _get_url_for_attachment( :param attachment: an attachment record :return: the URL to access the attachment """ - fs_storage = self.get_by_code(attachment.fs_storage_code) + fs_storage = self.sudo().get_by_code(attachment.fs_storage_code) if not fs_storage: return None base_url = fs_storage.base_url_for_files diff --git a/fs_attachment/models/ir_attachment.py b/fs_attachment/models/ir_attachment.py index 438f3a7263..8774ed77aa 100644 --- a/fs_attachment/models/ir_attachment.py +++ b/fs_attachment/models/ir_attachment.py @@ -135,7 +135,7 @@ def _compute_fs_storage_id(self): for rec in self: if rec.store_fname: code = rec.store_fname.partition("://")[0] - fs_storage = self.env["fs.storage"].get_by_code(code) + fs_storage = self.env["fs.storage"].sudo().get_by_code(code) if fs_storage != rec.fs_storage_id: rec.fs_storage_id = fs_storage elif rec.fs_storage_id: