[FIX] mail: check access on translation too

JKE-be · JKE-be · commit 963f229a8c9e · 2022-06-25T17:07:11.000+02:00
This commit checks that users without the access right 'Template Editor' are not allowed to add dynamic qweb in the translations of a mail template. Old tests have been updated to keep the assertRaises and all the code that handle the invalidation cache, ... But now we ensure that the Access Error raised is the expected one. Original tests was testing that a user without the group 'Mail Editor' got an access error due to the missing group, but since the commit 1a3e713 the Access Error is because you cannot edit a template that is not created by yourself. closes odoo#94585 X-original-commit: 127a598 Signed-off-by: Thibault Delavallee (tde) <tde@openerp.com>
diff --git a/addons/mail/models/__init__.py b/addons/mail/models/__init__.py
@@ -46,6 +46,7 @@
 from . import ir_http
 from . import ir_model
 from . import ir_model_fields
+from . import ir_translation
 from . import ir_ui_view
 from . import ir_qweb
 from . import res_company
diff --git a/addons/mail/models/ir_translation.py b/addons/mail/models/ir_translation.py
@@ -0,0 +1,59 @@
+# -*- coding: utf-8 -*-
+# Part of Odoo. See LICENSE file for full copyright and licensing details.
+
+from odoo import models, _
+from odoo.exceptions import AccessError
+
+
+class IrTranslation(models.Model):
+    _inherit = 'ir.translation'
+
+    def create(self, vals_list):
+        translations = super().create(vals_list)
+        translations._check_is_dynamic()
+        return translations
+
+    def write(self, vals):
+        res = super().write(vals)
+        self._check_is_dynamic()
+        return res
+
+    def _check_is_dynamic(self):
+        # if we don't modify translation of at least a model that inherits from mail.render.mixin, we ignore it
+        # translation.name can be a path, and so not in the pool, so type(None) will exclude these translations.
+        translations_for_mail_render_mixin = self.filtered(
+            lambda translation: issubclass(type(self.env.get(translation.name.split(',')[0])), self.pool['mail.render.mixin'])
+        )
+        if not translations_for_mail_render_mixin:
+            return
+
+        # if we are admin, or that we can update mail.template we ignore
+        if self.env.is_admin() or self.env.user.has_group('mail.group_mail_template_editor'):
+            return
+
+        # Check that we don't add qweb code in translation when you don't have the rights
+
+        # prefill cache
+        ids_by_model_by_lang = {}
+        tuple_lang_model_id = translations_for_mail_render_mixin.mapped(
+            lambda translation: (translation.lang, translation.name.split(',')[0], translation.res_id)
+        )
+        for lang, model, _id in tuple_lang_model_id:
+            ids_by_model_by_lang.setdefault(lang, {}).setdefault(model, set()).add(_id)
+        for lang in ids_by_model_by_lang:
+            for res_model, res_ids in ids_by_model_by_lang[lang].items():
+                self.env[res_model].with_context(lang=lang).browse(res_ids)
+
+        for trans in translations_for_mail_render_mixin:
+            res_model, res_id = trans.name.split(',')[0], trans.res_id
+            rec = self.env[res_model].with_context(lang=trans.lang).browse(res_id)
+
+            if rec._is_dynamic():
+                group = self.env.ref('mail.group_mail_template_editor')
+                more_info = len(self) > 1 and ' [%s]' % rec or ''
+                raise AccessError(
+                    _('Only users belonging to the "%(group)s" group can modify translation related to dynamic templates.%(xtra)s',
+                      group=group.name,
+                      xtra=more_info
+                    )
+                )
diff --git a/addons/mail/tests/test_mail_template.py b/addons/mail/tests/test_mail_template.py
@@ -70,12 +70,92 @@ def test_mail_template_acl(self):
         with self.assertRaises(AccessError):
             self.env['mail.template'].with_user(self.user_employee).create({'body_html': '<p t-esc="\'foo\'"></p>'})
 
+        # Standard employee cannot edit templates from another user, non-dynamic and dynamic
+        with self.assertRaises(AccessError):
+            mail_template.with_user(self.user_employee).body_html = '<p>foo</p>'
         with self.assertRaises(AccessError):
             mail_template.with_user(self.user_employee).body_html = '<p t-esc="\'foo\'"></p>'
 
+        # Standard employee can edit his own templates if not dynamic
+        employee_template.with_user(self.user_employee).body_html = '<p>foo</p>'
+
         # Standard employee cannot create and edit templates with dynamic inline fields
         with self.assertRaises(AccessError):
             self.env['mail.template'].with_user(self.user_employee).create({'email_to': '{{ object.partner_id.email }}'})
 
+        # Standard employee cannot edit his own templates if dynamic
+        with self.assertRaises(AccessError):
+            employee_template.with_user(self.user_employee).body_html = '<p t-esc="\'foo\'"></p>'
+
+        with self.assertRaises(AccessError):
+            employee_template.with_user(self.user_employee).email_to = '{{ object.partner_id.email }}'
+
+    def test_mail_template_acl_translation(self):
+        ''' Test that a user that doenn't have the group_mail_template_editor cannot create / edit
+        translation with dynamic code if he cannot write dynamic code on the related record itself.
+        '''
+
+        self.env.ref('base.lang_fr').sudo().active = True
+
+        employee_template = self.env['mail.template'].with_user(self.user_employee).create({
+            'model_id': self.env.ref('base.model_res_partner').id,
+            'subject': 'The subject',
+            'body_html': '<p>foo</p>',
+        })
+
+        Translation = self.env['ir.translation']
+
+        ### check qweb dynamic
+        Translation.insert_missing(employee_template._fields['body_html'], employee_template)
+        employee_translations_of_body = Translation.with_user(self.user_employee).search(
+            [('res_id', '=', employee_template.id), ('name', '=', 'mail.template,body_html'), ('lang', '=', 'fr_FR')],
+            limit=1
+        )
+        # keep a copy to create new translation later
+        body_translation_vals = employee_translations_of_body.read([])[0]
+
+        # write on translation for template without dynamic code is allowed
+        employee_translations_of_body.value = 'non-qweb'
+
+        # cannot write dynamic code on mail_template translation for employee without the group mail_template_editor.
+        with self.assertRaises(AccessError):
+            employee_translations_of_body.value = '<t t-esc="foo"/>'
+
+        employee_translations_of_body.unlink()  # delete old translation, to test the creation now
+        body_translation_vals['value'] = '<p t-esc="foo"/>'
+
+        # admin can create
+        new = Translation.create(body_translation_vals)
+        new.unlink()
+
+        # Employee without mail_template_editor group cannot create dynamic translation for mail.render.mixin
+        with self.assertRaises(AccessError):
+            Translation.with_user(self.user_employee).create(body_translation_vals)
+
+
+        ### check qweb inline dynamic
+        Translation.insert_missing(employee_template._fields['subject'], employee_template)
+        employee_translations_of_subject = Translation.with_user(self.user_employee).search(
+            [('res_id', '=', employee_template.id), ('name', '=', 'mail.template,subject'), ('lang', '=', 'fr_FR')],
+            limit=1
+        )
+        # keep a copy to create new translation later
+        subject_translation_vals = employee_translations_of_subject.read([])[0]
+
+        # write on translation for template without dynamic code is allowed
+        employee_translations_of_subject.value = 'non-qweb'
+
+        # cannot write dynamic code on mail_template translation for employee without the group mail_template_editor.
+        with self.assertRaises(AccessError):
+            employee_translations_of_subject.value = '{{ object.foo }}'
+
+        employee_translations_of_subject.unlink()  # delete old translation, to test the creation now
+        subject_translation_vals['value'] = '{{ object.foo }}'
+
+        # admin can create
+        new = Translation.create(subject_translation_vals)
+        new.unlink()
+
+        # Employee without mail_template_editor group cannot create dynamic translation for mail.render.mixin
         with self.assertRaises(AccessError):
-            mail_template.with_user(self.user_employee).email_to = '{{ object.partner_id.email }}'
+            Translation.with_user(self.user_employee).create(subject_translation_vals)
