This question has been flagged
2227 Views
salesinvoicingportalOdoo13.0
Avatar
Marcus

Odoo violates multi-company rule and also own-document rule.

I have sale order generated by eCommerce module. I've generated an invoice on this order but I modified the invoice partner_id as well as company of the invoice, but odoo still shows this invoice to original customer. So customer can see document assigned to a different person from a different company.

Inside portal view there is a line (addons\sale\views\sale_portal_templates.xml):

<t t-set="invoices" t-value="[i for i in sale_order.invoice_ids if i.state not in ['draft', 'cancel']]"/>


And for some reason  sale_order.invoice_ids just  straight up ignores all the record rules.

Maybe because sale_order is fetched with sudo and I have no idea why (addons\sale\controllers\portal.py):

order_sudo = self._document_check_access('sale.order', order_id, access_token=access_token)



And this is the definition:
def _document_check_access(self, model_name, document_id, access_token=None):
    document = request.env[model_name].browse([document_id])
    document_sudo = document.with_user(SUPERUSER_ID).exists()
    if not document_sudo:
        raise MissingError(_("This document does not exist."))
    try:
        document.check_access_rights('read')
        document.check_access_rule('read')
    except AccessError:
        if not access_token or not document_sudo.access_token or not consteq(document_sudo.access_token, access_token):
            raise
    return document_sudo


And it causes a bug, because for some reason it gives back documents that the user should not have access to. This is really bad and i don't know if I can trust Odoo with handling document permission any more.

Odoo13



Avatar
Discard