[14.0][FIX] attachment_zipped_download: zip allowed document only

OCA / knowledge

Odoo Document & Knowledge Management

http://www.odoo-community.org/project/22

GNU Affero General Public License v3.0

156 stars 331 forks source link

[14.0][FIX] attachment_zipped_download: zip allowed document only #411

Closed petrus-v closed 1 year ago

petrus-v commented 1 year ago

The previous code allowed any authenticated to retreive any attachment present on odoo filesystem. So a WMS user could technically spoken download a zip with accounting documents.

This implementation is calling read() method to retreive file to archive which have two benefits:

call the check(read) implements on ir.attachemnt
(not test) should works with attachment saved somewhere else than the local filesystem (s3 storage, pgsql large object storage...)

petrus-v commented 1 year ago

@pedrobaeza @victoralmau I suppose you should care about this PR regarding access privileged to attachments according the context your are using this module !

pedrobaeza commented 1 year ago

Can you please squash commits?

petrus-v commented 1 year ago

Can you please squash commits?

done !

pedrobaeza commented 1 year ago

/ocabot merge patch

OCA-git-bot commented 1 year ago

On my way to merge this fine PR! Prepared branch 14.0-ocabot-merge-pr-411-by-pedrobaeza-bump-patch, awaiting test results.

OCA-git-bot commented 1 year ago

Congratulations, your PR was merged at c04885e0e9783a8031697af8121e9639325b4fa3. Thanks a lot for contributing to OCA. ❤️