İçereği Atla
Bu soru işaretlendi
securityir_attachmentwebsite
4 Cevaplar
21195 Görünümler
Avatar
Evans Bernier

Hello,

I created a website module that can access at some attachments. I create a security group for my module and gave reading access to ir_attachment model. The user of this module can only access frontend. When I try to show attribute of an attachment from ir_attachment, I got a "500: Internal Server Error". In log, I can see the following error message

File "/var/www/odoo8/server/openerp/addons/base/ir/ir_attachment.py", line 259, in check

    raise except_orm(_('Access Denied'), _("Sorry, you are not allowed to access this document."))

I looked in security and my security group have access to the model. Why I get this error message?

If the user have at least access to backend, I can access ir_attachment, but not if the user have only access frontend.

Thanks


Avatar
Vazgeç
Avatar
Rihards Novožilovs
En İyi Yanıt

You can use sudo

obj = request.env['ir.attachment'].sudo().search([('name', '=', 'test')])

Avatar
Vazgeç
Avatar
Axel Mendoza
En İyi Yanıt

Hi Evans Bernier

The issue is related that the ir.attachment model has an override of the check method to add extra security checks and the particular one that you are hitting is that the user that you are using doesn't have the group Employee that it's not an HR security group, it's a base group assigned by default to pretty much all the users created, seems that your user was created using the signup feature of Odoo that use the Public User as a template and that way the new users does not get the Employee group since the template user doesn't have it neither. You could find the Employee group in the Human Resources group selection field in the user form, where all of the other values for that selection field are groups that inherit from the Employee group. You could also put your new group to inherit from the Employee group (ID is base.group_user) or manually add that group to the user and you will be ok


*** Update ***

The easiest way to solve that without giving aditional permissions to your users is doing this:


from openerp import models
class ir_attachment_check(models.Model)
    _inherit = 'ir.attachment'
    def check(self, cr, uid, ids, mode, context=None, values=None):
        res_ids = {}
        if ids:
            if isinstance(ids, (int, long)):
                ids = [ids]
            cr.execute('SELECT DISTINCT res_model, res_id, create_uid FROM ir_attachment WHERE id = ANY (%s)', (ids,))
            for rmod, rid, create_uid in cr.fetchall():
                if not (rmod and rid):
                    continue
                res_ids.setdefault(rmod,set()).add(rid)
        if values:
            if values.get('res_model') and values.get('res_id'):
                res_ids.setdefault(values['res_model'],set()).add(values['res_id'])
        ima = self.pool.get('ir.model.access')
        for model, mids in res_ids.items():
            # ignore attachments that are not attached to a resource anymore when checking access rights
            # (resource was deleted but attachment was not)
            if not self.pool.get(model):
                continue
            existing_ids = self.pool[model].exists(cr, uid, mids)
            ima.check(cr, uid, model, mode)
            self.pool[model].check_access_rule(cr, uid, existing_ids, mode, context=context)

Just override the check method to remove the code that checks for the Employee  group in the user

Avatar
Vazgeç
Evans Bernier
Üretici

Hi Axel,

Thanks a lot for the explanation. I don't want to give access to backend to these users. How can I give that rights without giving the backend access?

Thanks,

Axel Mendoza

See my answer update for how to do it and don't forget to upvote and accept the answer if you find it useful

paidy kumar

hi sir i have also same issue i am using odoo 12v...but i am not able to migrate this code to v12 .can you help me please i am new to odoo.

Avatar
Alexey Moujeer
En İyi Yanıt

I scratched my head for quite some time over this error when I tried to make some attachments accessible from a public website (read only). In odoo10 - and I don't know about earlier versions - setting the "public" field on the attachment to True makes the check method bypass the aforementioned security check in read mode.

Avatar
Vazgeç
Simon Capriles

This avoids changes in the code and in the user's access rights.
Definitely should check this before anything

Avatar
Evans Bernier
Üretici En İyi Yanıt

Thanks Axel, that's work fine. I wasn't know about the extra security checks of that model.

Avatar
Vazgeç
İlgili Gönderiler Cevaplar Görünümler Aktivite
How to restrict access for static pages?
security website webpage
Avatar
Avatar
1
Eyl 21
5759
After new user created his account add a validation step to accept or decline his entry
security accounts website
Avatar
0
Haz 20
3201
Webpage for specific users
security access website
Avatar
Avatar
1
Kas 18
5917
UPDATED: Anonymous User requests for (404) Not Found URLs triggers deletion of critical website files - what code in Odoo v9 could be causing this deletion to occur due? Çözüldü
security website_builder website
Avatar
Avatar
6
Şub 16
12334
SecurityError and Javascript error after activating website module
security javascript website_builder website
Avatar
0
Mar 25
2327