Odoo violates multi-company rule and also own-document rule.
I have sale order generated by eCommerce module. I've generated an invoice on this order but I modified the invoice partner_id as well as company of the invoice, but odoo still shows this invoice to original customer. So customer can see document assigned to a different person from a different company.
Inside portal view there is a line (addons\sale\views\sale_portal_templates.xml):
And for some reason sale_order.invoice_ids just straight up ignores all the record rules.
Maybe because sale_order is fetched with sudo and I have no idea why (addons\sale\controllers\portal.py):
And this is the definition:
def _document_check_access(self, model_name, document_id, access_token=None):
And it causes a bug, because for some reason it gives back documents that the user should not have access to. This is really bad and i don't know if I can trust Odoo with handling document permission any more.
Odoo13
