Skip to Content
This question has been flagged
securityxmlodoo10.0
1 Reply
7463 Views
Avatar
youta

Hello,

I'm working on online quotation report customization, to display the products images on the quotation for the customer.

Everything is working just fine except of when the customer click on the quotation link sent by email, it directs him to the quotation but some of products images aren't loaded and it gives 404 forbidden error in the console. However if the customer logged in it will be displayed just fine.

Here's a sample of my code:


<template id="so_custom_quotation_content" inherit_id="website_quote.so_quotation_content" name="Custom Quotation">
        <xpath expr="//div[@class='oe_structure']" position="after">
            <section id="productdetails">
                <t t-foreach="quotation.order_lines_layouted()" t-as="page">
                    <table class="table table-condensed wq-table">
                        <thead>
                            <tr>
                                <th>Product</th>
                                <th></th>
                                <th></th>
                                <th>Description</th>
                            </tr>
                        </thead>
                        <tbody>
                            <t t-foreach="page" t-as="layout_category">
                                <t t-if="layout_category_size > 1 or page_size > 1" groups="sale.group_sale_layout">
                                    <tr class="active">
                                        <td colspan="7" style="font-weight: bold; border-bottom: 1px solid black;">&amp;bull;
                                            <t t-esc="layout_category['name']"/>
                                        </td>
                                    </tr>
                                    <tr></tr>
                                </t>
                                <t t-foreach="layout_category['lines']" t-as="line">
                                    <tr t-attf-class="product-description row-{{line_parity}}">
                                        <td style="padding:20px;" t-foreach="line.product_id" t-as="pro">
                                            <span t-field="pro.image_medium" t-field-options='{"widget": "image","class": "oe_avatar"}' style="padding:20px;"/>
                                        </td>
                                        <td></td>
                                        <td></td>
                                        <td class="colored">
                                            <p t-field="line.name"/>
                                        </td>
                                    </tr>
                                </t>
                            </t>
                        </tbody>
                    </table>
                    <t t-if="page_index &lt; page_size - 1" groups="sale.group_sale_layout">
                        <p style="page-break-before:always;"></p>
                    </t>
                </t>
            </section>
     </xpath>
</template>

Screenshot of the error for unregistered people

Can anyone help me to fix that error. Much appreciation and thanks in advance


PS. I'm using Nginx reverse proxy

Avatar
Discard
Avatar
Denis Baranov
Best Answer

The issue is stipulated by access rights of public users to products:

  1. When a user is not logged in, he/she is a "Public user"

  2. Public user has rights to read products (e.g.: look at the 'website_sale' addon, the rule 'access_product_product_public')

  3. Image_medium which you try to show is a computed fields with inverse, what requires more rights

The recommendations (alternatively):

  1. Redefine the functions to compute images, adding 'sudo'

  2. Add the special rights for public users via csv (may be not SAFE)

  3. Keep an image in another model.

Example of the last advise:

class avatar(models.Model):

    _name = 'avatar.avatar'

   

    image = fields.Binary(string='Image')

    product_id = fields.Many2one('product.product',string='Product')

class product_product(models.Model):

    _inherit = 'product.product'

   

    @api.one

    @api.depends('image_medium')

    def get_avatar(self):

        if self.avatar:

            self.avatar.image = self.image_medium

        else:

            avatar_id = self.env['avatar.avatar'].create({'product_id':self.id,'image': self.image_medium})

            self.avatar = avatar_id

   

    avatar = fields.Many2one('avatar.avatar',string="Avatar",compute="get_avatar",compute_sudo=True,store=True)

The rule for avatar:

access_avatar_avatar,access_avatar_avatar,model_avatar_avatar,,1,0,1,0

Afterwards, instead of image_medium in your template, use avatar.image

Avatar
Discard
youta
Author

Perfect, thanks

youta
Author

Well the presented solution helped me to overcome the 403 forbidden error. Now I'm facing another problem that the images are always cashed in the quotation table, no matter I try to remove or change the original product image, nothing changes in the online quotation. Any advice?

Related Posts Replies Views Activity
Adding bullets in odoo 10 qweb report.
xml odoo10.0
Avatar
0
Jun 22
1542
Setting up rules' Access Right in xml,csv files
security xml rules
Avatar
1
Dec 22
23147
Hiding Attachments button on a specific model's form view in odoo 10.
xml python2.7 odoo10.0
Avatar
0
Aug 22
1714
How to create user Group Application for your module? Solved
security xml group
Avatar
Avatar
6
Jan 21
43060
inherit some group permissions to another group Solved
security xml odoo11.0
Avatar
Avatar
1
Dec 23
9490